IBM Support

Security Bulletin: IBM Sterling Transformation Extender is affected by MongoBleed security vulnerability

Security Bulletin


Summary

IBM Sterling Transformation Extender uses MongoDB and is affected by MongoBleed security vulnerability (CVE-2025-14847).

Vulnerability Details

CVEID:   CVE-2025-14847
DESCRIPTION:   Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
CWE:   CWE-130: Improper Handling of Length Parameter Inconsistency
CVSS Source:   cna@mongodb.com
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Sterling Transformation Extender10.1.0.2, 10.1.1.1, 10.1.2.1, 11.0.0.0, 11.0.1.1 , 11.0.2.0

Remediation/Fixes

Refer to the "Workarounds and Mitigations” section in this security bulletin.

Workarounds and Mitigations

To mitigate this vulnerability, customers should either limit network message compression to 'snappy' (thereby excluding 'zlib') or disable compression entirely. Detailed workarounds for ITX Design Server Docker and Native installations are provided in the following sections.

 

Workaround for ITX Design Server Docker installations

To address this critical vulnerability in the MongoDB server, adjustments are necessary for the ITX Design Server install script used in Docker installations. The procedure below outlines the modifications required to restrict compression methods to only Snappy.

    
Prerequisites

  1. Ensure ITX Design Server is installed and running.
    • Verify by running: ./ITX status (all components should show as running)
  2. Before updating the installation script, run and save the output of the following two commands:
    docker exec tx-server-mongo ps -ef
    docker exec tx-server-mongo mongo --quiet --eval "db.serverStatus().network.compression"

    
Procedure

  1. Navigate to ITX install directory
    cd <ITX install directory> 
  2. Create a backup of the existing installation script
    • For ITX Design Server versions 10.1.0.2, 10.1.1.1 and 10.1.2.1:
      Create the backup of install.sh script
      cp install.sh <backup_location>/install.sh
       For example
      cp install.sh /opt/mybackup/install.sh
    • For ITX Design Server versions 11.0.0.0, 11.0.1.1 and 11.0.2.0:
      Create the backup of install script
      cp install <backup_location>/install
       For example
      cp install /opt/mybackup/install
  3. Update the installation script
    • For ITX Design Server versions 10.1.0.2, 10.1.1.1 and 10.1.2.1:
      1. Edit the install.sh script using vim or another editor
        vi install.sh
      2. Search for the text: $TX_MONGO_DOCKER_IMAGE
      3. Modify the line to include the --networkMessageCompressors snappy flag
        Before change:
        $TX_MONGO_DOCKER_IMAGE
        After change:
        $TX_MONGO_DOCKER_IMAGE --networkMessageCompressors snappy
    • For ITX Design Server versions 11.0.0.0:
      1. Edit the install script using vim or another editor
        vi install
      2. Search for the text: mongo:4.0.5
      3. Modify the line to include the --networkMessageCompressors snappy flag
        Before change:
        mongo:4.0.5  &>>$log_file
        After change:
        mongo:4.0.5 --networkMessageCompressors snappy  &>>$log_file
    • For ITX Design Server versions 11.0.1.1 and 11.0.2.0:
      1. Edit the install script using vim or another editor
        vi install
      2. Search for the text: docker.io/mongo:4.0.5
      3. Modify the line to include the --networkMessageCompressors snappy flag
        Before change:
        docker.io/mongo:4.0.5  &>>$log_file
        After change:
        docker.io/mongo:4.0.5 --networkMessageCompressors snappy  &>>$log_file
  4. Stop ITX
    ./ITX stop
  5. Remove existing MongoDB container
    1. List all stopped ITX containers
      docker ps -a
    2. Delete the MongoDB container
      docker rm tx-server-mongo
    3. Verify the container has been deleted
      docker ps -a
  6. Run ITX installation script
    • For ITX Design Server versions 10.1.0.2, 10.1.1.1 and 10.1.2.1
      ./install.sh
    • For ITX Design Server versions 11.0.0.0, 11.0.1.1 and 11.0.2.0
      ./ITX install
    This step will reinstall MongoDB using the modified install script
  7. Start ITX
    • For ITX Design Server versions 10.1.0.2, 10.1.1.1 and 10.1.2.1
      ./start.sh
    • For ITX Design Server versions 11.0.0.0, 11.0.1.1 and 11.0.2.0
      ./ITX start
  8. Verify ITX has started
    1. Execute the following two commands:
      docker exec tx-server-mongo ps -ef
      docker exec tx-server-mongo mongo --quiet --eval "db.serverStatus().network.compression"
    2. Compare the output of these commands with the output saved in the Prerequisites section.
      Expected results:
      • The docker exec tx-server-mongo ps -ef output should contain the text: mongod --networkMessageCompressors snappy --bind_ip_all
      • The compression status output may contain the text: snappy
      • The compression status output should not contain the text: zlib

 

Workaround for ITX Native Installations

For a native ITX installation, the client is responsible for owning, hosting, and administering the MongoDB server. Consequently, the client is responsible for patching the MongoDB server and applying any necessary workarounds.

As a workaround to resolve the issue, customers must disable zlib compression in the affected MongoDB server versions listed in the vulnerability details section. By default, MongoDB often enables snappy and zlib. Following steps will disable zlib and prioritize the Snappy:

  1. Before making changes, run the following command in the MongoDB shell (mongosh or mongo) to check enabled compressors:
    db.serverStatus().network.compression
    This will initially show all the compressors enabled (snappy and zlib).
  2. Backup your database and logs
    Always perform a backup before modifying configuration files. Use mongodump to create a copy of your databases.
    mongodump --out /path/to/backup/directory
  3. Modify the configuration file
    1. Locate your MongoDB configuration file (typically mongod.conf)
      • Linux: Usually found in /etc/mongod.conf
      • Windows: Usually found in C:\Program Files\MongoDB\Server\<version>\bin\mongod.cfg
    2. Edit the MongoDB configuration file to include the compression settings under the net section, excluding zlib
      net:
        port: 27017
        bindIp: 127.0.0.1
        compression:
          compressors: snappy
  4. Restart the Service
    For the changes to take effect, you must restart the MongoDB daemon.
    • Linux (systemd): sudo systemctl restart mongod
    • Windows: Open Services.msc, find "MongoDB Server", and click Restart.
  5. Run the following command to confirm that zlib has been successfully removed from the list of enabled compressors
    db.serverStatus().network.compression
    Expected output
    {
       “snappy”: {
    “compressor”: { 
           “bytesIn”: NumberLong(0), 
           “bytesOut”: NumberLong(0) 
    },
    “decompressor”: { 
           “bytesIn”: NumberLong(0), 
           “bytesOut”: NumberLong(0)
          }
      }
    }
    The output should now only list snappy. If zlib is missing, the configuration was applied correctly.

 

Note for ITX MongoDB adapter users

The MongoDB adapter allows compression to be configured within the HOST property (-H {hostname | MongoDB_URI}). To mitigate this critical vulnerability, users must avoid using zlib compression if compression is configured within the HOST property for the MongoDB server versions listed in the vulnerability details section.

For example:
mongodb://localhost:27017/?compressors=zstd,snappy

 

Note on MongoDB compression support

MongoDB supports network message compression algorithms: zstd (v4.2+), and snappy and zlib (v4.0+). To comply with security requirements and mitigate MongoBleed security vulnerability, zlib must be explicitly excluded from supported compressors unless a fixed MongoDB server version is deployed.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

25 Feb 2026: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSLU4JS","label":"IBM Sterling Transformation Extender"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF035","label":"z\/OS"}],"Version":"10.1.0.2, 10.1.1.1, 10.1.2.1, 11.0.0.0, 11.0.1.1 , 11.0.2.0","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
25 February 2026

Initial Publish date:
25 February 2026

UID

ibm17261774

Page Feedback