Print
Category: SecureChange

Bug in TOS if SecureChange is run in HA mode


Tufin points out a potential vulnerability in Tufin Orchestration Suite (TOS) if SecureChange is run as a cluster. It might happen that MongoDB provides a simple HTTP interface that might be accessable from external sources. This could deliver information to external persons.

 

Affected are only HA deployments running SecureChange R15-3 or higher. Clusters running SecureTrack only aren't affected as standalone installations of SecureChange are. A fix will be included in R16-2 HF4, R16-3 GA and R16-4 RC1 and above. If you run an elder version not being able to upgrade, you will need to check the configuration of your HA installation of SecureChange.

 

To address this issue, just edit the configuration of MongoDB on the systems:

  1. Backup the original file /etc/mongod.conf
  2. Edit the file /etc/mongod.conf and add this option at the end of the file:
       nohttpinterface = true
  3. Save the file with your changes
  4. Restart the MongoDB service using
       # service mongod restart

Tufin states that this change won't interfere with the performance, stability, or functionality of TOS.