Idk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess.

>This [...] vuln is not a breach or compromise of MongoDB

IANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?

>vulnerability was discovered internally >detected the issue

Interesting choice of words. I wonder if their SIEM/SOC discovered a compromise, or if someone detected a tweet.

>December 12–14 – We worked continuously

It took 72 clock hours, assumably hundreds of man hours, to fix a malloc use after free and cstring null term bug? Maybe the user input field length part was a major design point??

>dec 12 "detect" the issue, dec 19 cve, dec 23 first post

Boy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.

Not sure there's a security tool in the world that would stop data exfiltration via protocol error logs.

Reference: https://bigdata.2minutestreaming.com/p/mongobleed-explained-...