Thank you very much Bernd, that's perfectly explained everything I wanted to know.
Nicer way of getting the version in there as well; I had to dig through the log files to find it but that is much quicker.
Original Message:
Sent: Tue January 06, 2026 03:04 PM
From: Bernd Siebert
Subject: PAW - MongoDB Vulnerability
1)
We did open the IBM support ticket TS021098257
Which current release of PAW is not impacted by the mongobleed security vulnerability ?
asking IBM how the mongobleed security vulnerability impacts PAW.
IBM replied, quote:
"Our Development team has completed the assessment of CVE-2025-14847 for Planning Analytics. The product is NOT Affected; Planning Analytics Workspace is not vulnerable as the mongo server is only enabled for private network access. In keeping with IBM process, we will be updating the version of Mongo in the next releases of Planning Analytics Local - 2.1.17."
2)
The root cause of the mongobleed security vulnerability is the zlib message compressor.
Among the workarounds proposed by the vendor to address this issue is to either disable all message compressors or enable only the other non-impacted message compressors like snappy.
How to apply said workaround to PAW:
- Stop PAW using the script
./scripts/paw.ps1 stop
- Make a backup copy of the PAW configuration file
<PAW_INSTALL_DIR>/services/mongo/docker-compose.yml
- Using a text-editor edit the PAW configuration file
<PAW_INSTALL_DIR>/services/mongo/docker-compose.yml
and add the line
command: ["mongod", "--networkMessageCompressors", "disabled"]
- Start PAW using the script
./scripts/paw.ps1
Please note that indentation, as in proper spacing using a specific number of space characters, make or break the YML-file. Typically each level of spacing is indented by 2 characters.
For instance:
version: '2.1'
services:
mongo:
image: ${MONGO_IMAGE}
container_name: mongo
restart: always
environment:
- MONGO_PASSWORD_FILE=C:\share\db_secret.key
volumes:
- ${MONGO_LOG_DIR}:C:\log\
- ${SecretKeyDir}:C:\share\
- mongo.1:C:\data\db\
#
# deactivate all message compressors includung zlib
#
command: ["mongod", "--networkMessageCompressors", "disabled"]
volumes:
mongo.1:
3)
How to get the version of MongoDB used by your version of PAW:
- First, get the container ID of the MongoDB container using the command line
docker ps -a
or
podman ps -a
- Execute the command line
docker exec it <MongoDB Container ID> mongod --version
or
podman exec it <MongoDB Container ID> mongod --version
For instance Version 2.1.14 of PAW for Linux ships with Version 7.0.23 of the MongoDB:
[root@tm1-prod-web ~]# podman exec -it fd21d8a38e9c mongod --version
db version v7.0.23
Build Info: {
"version": "7.0.23",
"gitVersion": "78d6d71385be23831b5971993af60bcafed785bc",
"openSSLVersion": "OpenSSL 1.1.1k 25 Mar 2021",
"modules": [],
"allocator": "tcmalloc",
"environment": {
"distmod": "rhel80",
"distarch": "x86_64",
"target_arch": "x86_64"
}
}
[root@tm1-prod-web ~]#
Regards
------------------------------
Bernd Siebert
Original Message:
Sent: Tue January 06, 2026 09:23 AM
From: Declan Rodger
Subject: PAW - MongoDB Vulnerability
Hi,
There is a recent known vulnerability within MongoDB cve-2025-14847 that is starting to flag up for clients within the Workspace container.
My understanding is that this is likely a limited risk vulnerability within workspace due to MongoDB primarily being used to store report definitions etc rather than company data itself.
That being said we are wondering whether this will be addressed in the upcoming releases?
It's not obvious which version of MongoDB is being used in different releases but looking at the logs it would appear that 2.1.16 is running MongoDB 7.0.22.
The vulnerability recommends upgrading to 7.0.28 (for server v7)
Thanks,
Declan
------------------------------
Declan Rodger
Technical Director
Spitfire Analytics
Manchester
------------------------------