OPNsense Security Audit

[wbennett]

Hello,

Ran a security on my OPNsense running the 25.7.5 and received the following:


"***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.5 (amd64) at Thu Oct  9 13:17:25 ADT 2025
Fetching vuln.xml.xz: .......... done
mongodb70-7.0.16_1 is vulnerable:
  MongoDB -- Running certain aggregation operations with the SBE engine may lead to unexpected behavior
  CVE: CVE-2025-6706
  WWW: https://vuxml.freebsd.org/freebsd/5e64770c-52aa-11f0-b522-b42e991fc52e.html

  MongoDB -- may be susceptible to privilege escalation due to $mergeCursors stage
  CVE: CVE-2025-6713
  WWW: https://vuxml.freebsd.org/freebsd/77dc1fc4-5bc5-11f0-834f-b42e991fc52e.html

  mongodb -- MongoDB may be susceptible to Invariant Failure in Transactions due Upsert Operation
  CVE: CVE-2025-10060
  WWW: https://vuxml.freebsd.org/freebsd/6d16b410-a2ca-11f0-8402-b42e991fc52e.html

  MongoDB -- Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB
  CVE: CVE-2025-6710
  WWW: https://vuxml.freebsd.org/freebsd/59ed4b19-52aa-11f0-b522-b42e991fc52e.html

  MongoDB -- Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication
  CVE: CVE-2025-6709
  WWW: https://vuxml.freebsd.org/freebsd/5b87eef6-52aa-11f0-b522-b42e991fc52e.html

  mongodb -- Malformed $group Query May Cause MongoDB Server to Crash
  CVE: CVE-2025-10061
  WWW: https://vuxml.freebsd.org/freebsd/a5395e02-a2ca-11f0-8402-b42e991fc52e.html

  MongoDB -- Race condition in privilege cache invalidation cycle
  CVE: CVE-2025-6707
  WWW: https://vuxml.freebsd.org/freebsd/5cd2bd2b-52aa-11f0-b522-b42e991fc52e.html

  MongoDB -- Incomplete Redaction of Sensitive Information in MongoDB Server Logs
  CVE: CVE-2025-6711
  WWW: https://vuxml.freebsd.org/freebsd/72ddee1f-5bc5-11f0-834f-b42e991fc52e.html

  MongoDB -- Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections
  CVE: CVE-2025-6714
  WWW: https://vuxml.freebsd.org/freebsd/79251dc8-5bc5-11f0-834f-b42e991fc52e.html

  mongodb -- MongoDB Server router will crash when incorrect lsid is set on a sharded query
  CVE: CVE-2025-10059
  WWW: https://vuxml.freebsd.org/freebsd/4329e3bd-a2ca-11f0-8402-b42e991fc52e.html

10 problem(s) in 1 installed package(s) found.
***DONE***

Anything to be concerned about?

[sy]

Hi,

Zenarmor stopped MongoDB support with version 2.1. Please switch your reporting DB to Elasticsearch or SQLite. You can switch it without uninstalling Zenarmor. Please refer to the folllowing link for the instructions.

https://www.zenarmor.com/docs/troubleshooting/reporting#how-do-i-reinstall-the-reporting-database

[Seimus]

Hello Sy,

I have ZA implementation that is still using Elastic 5 (5.6.16), the release notes for ZA 2.1 mention that the Elastic 5 is unsupported. Do I have to as well reinstall the DB to a newer Elastic major release?

Regards,
S.

[sy]

Hi @Seimus,

Yes, it will be better. Elasticsearch5 is EOL for long time ago and we were maintaining it. We have stopped as well. Please switch it to version 8.

[Seimus]

Hi @Seimus,

Yes, it will be better. Elasticsearch5 is EOL for long time ago and we were maintaining it. We have stopped as well. Please switch it to version 8.

Many thanks for the confirmation, I will schedule a maintenance and reinstall Elastic on v6 as per you guidance above.

Regards,
S.