From 8c2088dca28993a315e64425d4d417a149abce8b Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Sun, 11 Aug 2024 12:02:28 -0400 Subject: [PATCH 1/3] add notice for unifi/mongodb --- content/issues/2024-08-11-unifi-auth.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 content/issues/2024-08-11-unifi-auth.md diff --git a/content/issues/2024-08-11-unifi-auth.md b/content/issues/2024-08-11-unifi-auth.md new file mode 100644 index 00000000..c1ebafdb --- /dev/null +++ b/content/issues/2024-08-11-unifi-auth.md @@ -0,0 +1,15 @@ +--- +title: 'PSA Regarding Potential Misconfiguration of Unifi-Network-Application and MongoDB' +date: '2024-08-11 23:00:00Z' +informational: true +affected: + - 'unifi-network-application' +section: issue +--- +We have recently been notified that if [Role Based Access Control (RBAC)](https://www.mongodb.com/docs/manual/core/authorization/#role-based-access-control) is not enabled in MongoDB, the official MongoDB container allows remote access to the db contents over port 27017 without credentials even though the official docs suggest that should only be possible when connecting from 127.0.0.1. + +The previous instructions for setting up MongodB we had provided in our [Unifi-Network-Application image readme](https://github.com/linuxserver/docker-unifi-network-application) set up MongoDB without [RBAC](https://www.mongodb.com/docs/manual/core/authorization/#role-based-access-control). If you set up the MongoDB container with the old instructions we had provided, **do not map or expose port 27017**. If you are currently not mapping the port in MongoDB and only allowing Unifi-Network-Application to access it over a dedicated user defined docker bridge network, you should be fine. The instructions did not contain the port mapping section. + +The MongoDB init instructions in our [Unifi-Network-Application image readme](https://github.com/linuxserver/docker-unifi-network-application) have been updated to enable [RBAC](https://www.mongodb.com/docs/manual/core/authorization/#role-based-access-control) to help prevent issues due to such misconfigurations in the future. + +If you need to map or expose the port because the containers run on different machines, or if you would like to enable auth/RBAC for another reason, we suggest creating new instances of both Unifi-Network-Application and MongoDB with the new instructions and restoring Unifi-Network-Application from a backup. \ No newline at end of file From ab17d9ff475cf242dca06155a711773a1063e58e Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Sun, 11 Aug 2024 19:57:32 -0400 Subject: [PATCH 2/3] push date so the bot picks it up --- content/issues/2024-08-11-unifi-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/issues/2024-08-11-unifi-auth.md b/content/issues/2024-08-11-unifi-auth.md index c1ebafdb..78f83ec7 100644 --- a/content/issues/2024-08-11-unifi-auth.md +++ b/content/issues/2024-08-11-unifi-auth.md @@ -1,6 +1,6 @@ --- title: 'PSA Regarding Potential Misconfiguration of Unifi-Network-Application and MongoDB' -date: '2024-08-11 23:00:00Z' +date: '2024-08-12 11:00:00Z' informational: true affected: - 'unifi-network-application' From 9d8fd4b8adb7a3434d43067ee169e3790600d2df Mon Sep 17 00:00:00 2001 From: aptalca <541623+aptalca@users.noreply.github.com> Date: Mon, 12 Aug 2024 10:23:18 -0400 Subject: [PATCH 3/3] third time's a charm --- content/issues/2024-08-11-unifi-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/issues/2024-08-11-unifi-auth.md b/content/issues/2024-08-11-unifi-auth.md index 78f83ec7..1b59f504 100644 --- a/content/issues/2024-08-11-unifi-auth.md +++ b/content/issues/2024-08-11-unifi-auth.md @@ -1,6 +1,6 @@ --- title: 'PSA Regarding Potential Misconfiguration of Unifi-Network-Application and MongoDB' -date: '2024-08-12 11:00:00Z' +date: '2024-08-13 23:00:00Z' informational: true affected: - 'unifi-network-application'