Skip to content
  • There are no suggestions because the search field is empty.

Steps to Mitigate CVE-2025-14847 (Mongo DB critical vulnerability) by disabling zlib Network Compression

Issue

By default, zlib compression on MongoDB is enabled, although it is not utilized within the NetWitness Platform. Current versions of NetWitness (12.5.1.3 and below) are utilizing MongoDB versions which allow the exploitation of zlib compression as outlined in https://nvd.nist.gov/vuln/detail/CVE-2025-14847 . Later releases of the MongoDB package address this flaw, but in the meantime this Knowledge Base article will provide steps to disable the zlib network compression method across the NetWitness Platform. 


Cause

MongoDB versions below 5.0.32


Workaround

The Numbered Steps below will be applied to the Admin-Server/NW-NODE-ZERO first. 

  1. Take a backup of /etc/mongod.conf 
    cp /etc/mongod.conf /etc/mongod.conf.bak
     
  2.  Edit the file: 
    vi /etc/mongod.conf
  3.  Find this entry in /etc/mongod.conf
    allowInvalidHostnames: true
  4.  Add this entry below it:
    compression:
    compressors: snappy

    The entry will look like this once added (note, spacing is VERY important, so it must look exactly like this, otherwise Mongod will not start):
    net:
    bindIp: 0.0.0.0
    port: 27017
    tls:
    mode: preferTLS
    certificateKeyFile: /etc/pki/nw/mongo/mongod-combined.pem
    CAFile: /etc/pki/nw/trust/truststore.pem
    disabledProtocols: TLS1_0,TLS1_1
    allowConnectionsWithoutCertificates: true
    allowInvalidCertificates: false
    allowInvalidHostnames: true
    compression:
    compressors: snappy
     
  5. Save the file

  6.  Reload the systemctl daemon
    systemctl daemon-reload
     
  7. Restart mongod 
    systemctl restart mongod
     
  8. Login to mongo and verify compression is only showing the "snappy" option:
    [root@NEW-NW11-NW-NODE-ZERO ~]# mongo admin -u deploy_admin
    MongoDB shell version v5.0.26
    connecting to: mongodb://127.0.0.1:27017/admin?compressors=disabled&gssapiServiceName=mongodb
    Implicit session: session { "id" : UUID("a1929787-241c-43e4-a94a-4a7920f7611d") }
    MongoDB server version: 5.0.26
    ================
    Warning: the "mongo" shell has been superseded by "mongosh",
    which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
    an upcoming release.
    For installation instructions, see
    https://docs.mongodb.com/mongodb-shell/install/
    ================
    > db.serverStatus().network.compression
    {
    "snappy" : {
    "compressor" : {
    "bytesIn" : NumberLong(0),
    "bytesOut" : NumberLong(0)
    },
    "decompressor" : {
    "bytesIn" : NumberLong(0),
    "bytesOut" : NumberLong(0)
    }
    }
     
  9. Repeat these steps on All correlation severs, Endpoint Servers (both dedicated and hybrid), UEBA, and Analyst UI. Follow these steps to ensure services are stopped and started in the correct order:

Event Stream Analysis (ESA) servers:

    • systemctl stop rsa-nw-correlation-server
    • As outlined in details above, backup and edit /etc/mongod.conf and the new entries, save the file
    • systemctl daemon-reload
    • systemctl restart mongod
    • Verify by connecting and querying the network compression status to mongo as outlined above.
    • systemctl start rsa-nw-correlation-server

Endpoint Servers (Hybrids and Dedicated):

    • systemctl stop rsa-nw-endpoint-server
    • As outlined in details above, backup and edit /etc/mongod.conf and the new entries, save the file
    • systemctl daemon-reload
    • systemctl restart mongod
    • Verify by connecting and querying the network compression status to mongo as outlined above.
    • systemctl start rsa-nw-endpoint-server

 User & Entity Behavioral Analytics (UEBA) servers:

    • systemctl stop rsa-nw-ueba-server
    • As outlined in details above, backup and edit /etc/mongod.conf and the new entries, save the file
    • systemctl daemon-reload
    • systemctl restart mongod
    • Verify by connecting and querying the network compression status to mongo as outlined above.
    • systemctl start rsa-nw-ueba-server

 Analyst UI servers:

    • As outlined in details above, backup and edit /etc/mongod.conf and the new entries, save the file
    • systemctl daemon-reload
    • systemctl restart mongod
    • Verify by connecting and querying the network compression status to mongo as outlined above.

Resolution

Upgrade to NetWitness Version 12.5.2 or later. If that is not possible, follow the steps in the workaround section below to disable MongoDB's zlib network compression. 


Notes

CVE-2025-14847 Details:


Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: Admin Server/Node-Zero, Correlation/ESA, Endpoint, UEBA
NetWitness Version/Condition: 12.4+
Platform: AlmaLinux, MongoDB


Summary

In late 2025, a vulnerability identified in MongoDB versions below 5.0.32 was identified as CVE-2025-14847 with details published on https://nvd.nist.gov/vuln/detail/CVE-2025-14847 . Current and past versions of NetWitness are using earlier vulnerable versions of MongoDB (5.0.26 in the current released version of 12.5.1.3) and are therefore affected. A patched version of the MongoDB (5.0.32) will be included in 12.5.2 and above. In the meantime, for customers on 12.5.1.3 and earlier, the steps below will outline how to disable the vulnerable aspects of MongoDB, which is zlib network compression.


Approval Reviewer Queue

Technical approval queue