Summary
The reported incident by Mongo DB and MongoBleed, affects multiple versions of the Sage X3 components.
Resolution
- Security Hotfixes for MongoDB 4.4.x, MongoDB 7.x and MongoDB 8.x are now available
- To access these downloads, visit our Sage Knowledgebase Site HERE
- Then scroll down to locate the appropriate patch level for your version
- Look for Download depending on your version:
- Sage X3 Mongo DB 8.0.17.4 (Security Hotfix Update)
- Sage X3 Mongo DB 7.0.28.2 (Security Hotfix Update)
- Sage X3 Mongo DB 4.4.30.3 (Security Hotfix Update)
NOTE:
Log into your Sage Portal to access the Sage Knowledgebase and these will replace the previous versions
Workaround:
Disable zlib compression on the MongoDB Server as follows:
- Start mongod or mongos with a networkMessageCompressors / net.compression.compressors option and explicitly omit zlib
EXAMPLE:
safe values to use in mongodb.conf configuration file include snappy, zstd or disabled
net:
compression:
compressors: snappy,zstd
or
net:
compression:
compressors: disabled
CAUTION:
Don't allow external network access to the Mongo DB. Keep this in a DMZ or internal configuration
NOTE:
When adding the details for this workaround, use spaces in the config file, otherwise the services won't re-start
Africa
Asia
Australia
Canada
France
Ireland
Kenya
Nigeria
Portugal
South Africa
Spain
United Arab Emirates
United Kingdom
Germany