When updates are applied to MongoDB software, any software components that have been replaced or made unnecessary must be removed.

An XCCDF Rule

Description

<VulnDiscussion>Previous versions of DBMS components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some DBMSs' installation tools may remove older versions of software automatically from the information system. In other cases, manual review and removal will be required. In planning installations and upgrades, organizations must include steps (automated, manual, or both) to identify and remove the outdated modules. A transition period may be necessary when both the old and the new software are required. This should be taken into account in the planning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-252182r879825_rule
Severity: Medium
References: CCI-002617
Updated: 9 months ago

If there is a finding, then MongoDB has not been installed via a package manager and may have been installed manually or not at all.

If MongoDB has not been installed via a package manager, verify that an organizational or site-specific document outlining the installation and upgrade procedures for software exists. Review this organizational or site-specific document to determine how and where MongoDB is to be installed on the system. Using this documentation, verify that MongoDB has been installed on the system prior to upgrading.

To verify the version of MongoDB Enterprise Server, run the following command in the directory where the MongoDB executable binary has been placed according to the organizational or site-specific documentation.
 cd %mongod binary directory%
 ./mongod --version

The output will show the version and architecture of the MongoDB Server binary similar to the following:

./mongod --version
db version v4.4.8
Build Info: {
    "version": "4.4.8",
    "gitVersion": "83b8bb8b6b325d8d8d3dfd2ad9f744bdad7d6ca0",
    "openSSLVersion": "OpenSSL 1.0.1e-fips 11 Feb 2013",
    "modules": [
        "enterprise"
    ],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "rhel70",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}

Verify that the version desired (what the upgraded version should be) matches what is shown the in output.

For example, if updated from MongoDB Enterprise Server v4.4.8 to v4.4.9, the output after the update would be similar to the above but the db version would reflect v4.4.9.

If the version is not what is expected, then remove the mongod binary from the system to prevent it from being used and consult the organizational or site-specific documents for further guidance.

Run the following commands as an operating system administrator to remove the MongoDB Enterprise Server binary from the system:

 cd mongod binary directory
 rm ./mongod

When updates are applied to MongoDB software, any software components that have been replaced or made unnecessary must be removed.

Description

Remediation - Manual Procedure