MongoDB Vulnerability Scanner Reports Multiple CVEs in FileCloud
Original Question or Issue:
A vulnerability scanner reported multiple MongoDB CVEs on a FileCloud server. The customer wanted to know:
- Is an updated MongoDB version available?
- Can MongoDB be upgraded independently of FileCloud?
Environment:
- Product - FileCloud Server
- Version - 23.261.2
- Platform - Windows, Linux
Steps to Reproduce:
- Run a vulnerability scan against a FileCloud server.
- Review the scan results.
- Observe that multiple MongoDB CVEs are reported against the bundled MongoDB version included with the current FileCloud installation.
Error or Log Message:
No FileCloud application error is generated.
The vulnerability scanner reports one or more MongoDB CVEs (for example, a specific MongoDB CVE affecting the bundled MongoDB version).
Defect or Enhancement Number:
Cause:
The reported vulnerabilities are associated with the bundled MongoDB version included in the installed FileCloud release. Since FileCloud bundles and validates a specific MongoDB version with each release, older FileCloud versions may include an earlier MongoDB release that is flagged by vulnerability scanners.
Resolution or Workaround:
Upgrade FileCloud to the latest available release. The latest FileCloud version includes an updated MongoDB package that addresses multiple MongoDB security vulnerabilities.
- Current FileCloud Version: 23.261.2.33071
- Bundled MongoDB Version: 7.0.32
- Latest FileCloud Release: 23.262
- Bundled MongoDB Version in 23.262: 8.0.23
Upgrading to FileCloud 23.262 updates the bundled MongoDB version and includes the corresponding MongoDB security fixes.
Notes:
Manual upgrades of only the MongoDB component are not recommended. The bundled MongoDB version is tested and validated with its corresponding FileCloud release to ensure compatibility, stability, and supportability. Upgrading MongoDB independently may result in unexpected behavior or an unsupported configuration.