MongoDB Server Time Series Oversized Document Processing Vulnerability Leading to Process Termination

A vulnerability exists in MongoDB Server's time series processing logic, specifically in versions 7.0 prior to 7.0.26, 8.0 prior to 8.0.16, and 8.2 prior to 8.2.1. The issue arises from inconsistent validation of object sizes in time series data, which can allow oversized BSON documents to be processed later. This can cause an assertion failure, leading to the termination of the process. While most writes are prevented from approaching the BSON size limit of 16MB, certain ordered time-series writes can exceed this limit, potentially crashing secondary nodes.

Impact

Exploitation of this vulnerability can cause a process termination, particularly affecting secondary nodes in a MongoDB replica set.

Reproduction

The vulnerability can be reproduced by performing ordered writes to a time-series collection that generate documents larger than 16MB. This can be done by inserting enough data to exceed the BSON size limit, which will trigger an assertion failure and crash the process.

Remediation

Users can upgrade to MongoDB Server versions 7.0.26, 8.0.16, or 8.2.1 to address this vulnerability.