Rule ID
SV-265951r1028639_rule
Version
V1R1
CCIs
Previous versions of DBMS components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some DBMSs' installation tools may remove older versions of software automatically from the information system. In other cases, manual review and removal will be required. In planning installations and upgrades, organizations must include steps (automated, manual, or both) to identify and remove the outdated modules. A transition period may be necessary when both the old and the new software are required. This should be taken into account in the planning.
Run the following command and observe the output. This command will determine if MongoDB has been installed with a package Manager (RedHat) and display what version is currently installed: > rpm -q mongodb-enterprise-server.x86_64 mongodb-enterprise-server-7.0.8-1.el8.x86_64 The output of the command above indicates that MongoDB Enterprise Server has been installed with a package manager. In the preceding output is an example showing that MongoDB Enterprise Server Version 7.0.8 is installed. The specific version will be dependent on the actual version installed. Upgrading MongoDB with the same package manager used for installation will overwrite or remove files as part of the upgrade process. If MongoDB was installed with a Package Manager (YUM/RPM for RedHat) then this is not a finding. Run the following command and observe the output. > rpm -q mongodb-enterprise-server.x86_64 package mongodb-enterprise-server.x86_64 is not installed The output of the command above indicates that MongoDB has not been installed via a package manager or may not have been installed at all. If MongoDB has not been installed with a Package Manger (YUM/RPM for RedHat), this is a finding.
It is recommended to use the official installation packages provided by MongoDB. In the event the software was installed manually and permissions need to be restricted, consider a clean reinstallation.
Review this organizational or site-specific document to determine how and where MongoDB is to be installed on the system. Using this documentation, verify that MongoDB has been installed on the system prior to upgrading.
To verify the version of MongoDB Enterprise Server, run the following command in the directory where the MongoDB executable binary has been placed according to the organizational or site-specific documentation.
> cd <mongod binary directory>
> ./mongod --version
The output will show the version and architecture of the MongoDB Server binary similar to the following:
mongod --version
db version v7.0.8
Build Info: {
"version": "7.0.8",
"gitVersion": "c5d33e55ba38d98e2f48765ec4e55338d67a4a64",
"openSSLVersion": "OpenSSL 1.1.1k FIPS 25 Mar 2021",
"modules": [
"enterprise"
],
"allocator": "tcmalloc",
"environment": {
"distmod": "rhel80",
"distarch": "x86_64",
"target_arch": "x86_64"
}
}
Verify that the version desired (what the upgraded version should be) matches what is shown in the output.
If the version is not what is expected, then remove the mongod binary from the system to prevent it from being used and consult the organizational or site-specific documents for further guidance.
Run the following commands as an operating system administrator to remove the MongoDB Enterprise Server binary from the system:
> cd <mongod binary directory>
> rm ./mongod