Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN254
_____________________________________________________________________

DATE                : 04/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running IBM Storage Defender Copy Data
           Management versions 2.2.0.0 up to and including 2.2.28.0.

=====================================================================
https://www.ibm.com/support/pages/node/7262486
_____________________________________________________________________


Security Bulletin: Vulnerabilities in MongoDB Server might affect
IBM Storage Defender Copy Data Management


Security Bulletin

Summary

IBM Storage Defender Copy Data Management can be affected by
vulnerabilities in Zlib which use by MongoDB server. Vulnerability
include mismatched length fields in Zlib compressed protocol
headers may allow a read of uninitialized heap memory by an
unauthenticated client as described by the CVEs in the
"Vulnerability Details" section.


Vulnerability Details

CVEID:   CVE-2025-14847
DESCRIPTION:   Mismatched length fields in Zlib compressed protocol
headers may allow a read of uninitialized heap memory by an
unauthenticated client. This issue affects all MongoDB Server v7.0
prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to
8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server
v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior
to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30,
MongoDB Server v4.2 versions greater than or equal to 4.2.0,
MongoDB Server v4.0 versions greater than or equal to 4.0.0,
and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
CWE:   CWE-130: Improper Handling of Length Parameter Inconsistency
CVSS Source:   cna@mongodb.com
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Defender Copy Data Management	2.2.0.0 - 2.2.28.0


Remediation/Fixes

None 


Workarounds and Mitigations

Security Advisory: Disabling zlib Compression in MongoDB Server

Overview

As part of our proactive security hardening measures, zlib
compression has been disabled on the MongoDB server configuration
through this security patch.

What is zlib Compression?

zlib is a data compression algorithm used by MongoDB to reduce the
size of data transmitted between clients and the database server.
While compression improves bandwidth efficiency, certain compression
mechanisms can introduce security risks under specific attack
scenarios.


Why Are We Disabling It?

Recent security research has identified that compression mechanisms
such as zlib may increase exposure to certain attack vectors, including:

    Compression-based side-channel attacks
    Potential information leakage during encrypted communications
    Increased attack surface in high-security environments

Disabling zlib compression reduces this risk by eliminating the
compression layer in database communication.


Security Benefit

By disabling zlib compression:

    The attack surface is reduced
    Risk of compression-related vulnerabilities is mitigated
    Secure configuration posture is strengthened
    Compliance with hardened security baselines is improved


Customer Impact

    No impact to data integrity or database functionality
    Slight increase in network bandwidth usage may be observed
    No application code changes are required


Recommended Action

No action is required from customers unless custom MongoDB
configurations explicitly enforce zlib compression.
Customers managing their own MongoDB instances should review
and align their configuration to disable zlib compression
where applicable.

Customers can follow the instruction in CDM support page
https://www.ibm.com/support/pages/node/7253217 to obtain
the Efix


Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important
product support alerts like this.


References

Complete CVSS v3 Guide
On-line Calculator v3


Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


Acknowledgement

Change History

04 Mar 2026: Initial Publication

*The CVSS Environment Score is customer environment specific
and will ultimately impact the Overall CVSS Score. Customers
can evaluate the impact of this vulnerability in their
environments by accessing the links in the Reference section
of this Security Bulletin.


Disclaimer

According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an
"industry open standard designed to convey vulnerability
severity and help to determine urgency and priority of
response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to
other efforts to address potential vulnerabilities, IBM
periodically updates the record of components contained in
our product offerings. As part of that effort, if IBM
identifies previously unidentified packages in a
product/service inventory, we address relevant
vulnerabilities regardless of CVE date. Inclusion of an
older CVEID does not demonstrate that the referenced product
has been used by IBM since that date, nor that IBM was aware
of a vulnerability as of that date. We are making clients
aware of relevant vulnerabilities as we become aware of
them. "Affected Products and Versions" referenced in IBM
Security Bulletins are intended to be only products and
versions that are supported by IBM and have not passed their
end-of-support or warranty date. Thus, failure to reference
unsupported or extended-support products and versions in
this Security Bulletin does not constitute a determination
by IBM that they are unaffected by the vulnerability.
Reference to one or more unsupported versions in this
Security Bulletin shall not create an obligation for IBM
to provide fixes for any unsupported or extended-support
products or versions.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================