We have recently been notified that if Role Based Access Control (RBAC) is not enabled in MongoDB, the official MongoDB container allows remote access to the db contents over port 27017 without credentials even though the official docs suggest that should only be possible when connecting from 127.0.0.1.
The previous instructions for setting up MongodB we had provided in our Unifi-Network-Application image readme set up MongoDB without RBAC. If you set up the MongoDB container with the old instructions we had provided, do not map or expose port 27017. If you are currently not mapping the port in MongoDB and only allowing Unifi-Network-Application to access it over a dedicated user defined docker bridge network, you should be fine. The instructions did not contain the port mapping section.
The MongoDB init instructions in our Unifi-Network-Application image readme have been updated to enable RBAC to help prevent issues due to such misconfigurations in the future.
If you need to map or expose the port because the containers run on different machines, or if you would like to enable auth/RBAC for another reason, we suggest creating new instances of both Unifi-Network-Application and MongoDB with the new instructions and restoring Unifi-Network-Application from a backup.
Last updated: August 12, 2024 at 10:23 AM