Candidate: CVE-2021-20328
PublicDate: 2021-02-25 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20328
 https://jira.mongodb.org/browse/JAVA-4017
Description:
 Specific versions of the Java driver that support client-side field level
 encryption (CSFLE) fail to perform correct host name verification on the
 KMS server’s certificate. This vulnerability in combination with a
 privileged network position active MITM attack could result in interception
 of traffic between the Java driver and the KMS service rendering Field
 Level Encryption ineffective. This issue was discovered during internal
 testing and affects all versions of the Java driver that support CSFLE. The
 Java async, Scala, and reactive streams drivers are not impacted. This
 vulnerability does not impact driver traffic payloads with CSFLE-supported
 key services originating from applications residing inside the AWS, GCP,
 and Azure network fabrics due to compensating controls in these
 environments. This issue does not impact driver workloads that don’t use
 Field Level Encryption.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N [6.8 MEDIUM]


Patches_mongo-java-driver:
 upstream: https://github.com/mongodb/mongo-java-driver/commit/60d87d5a76645a331a77ccc45ef7c67aac88b234
upstream_mongo-java-driver: needs-triage
precise/esm_mongo-java-driver: DNE
trusty_mongo-java-driver: ignored (out of standard support)
trusty/esm_mongo-java-driver: DNE
xenial_mongo-java-driver: ignored (end of standard support, was needs-triage)
bionic_mongo-java-driver: needs-triage
focal_mongo-java-driver: needs-triage
groovy_mongo-java-driver: ignored (reached end-of-life)
hirsute_mongo-java-driver: ignored (reached end-of-life)
impish_mongo-java-driver: needs-triage
jammy_mongo-java-driver: needs-triage
devel_mongo-java-driver: needs-triage