Regardless of my thoughts on MongoDB in particular, if you are relying upon authentication mechanisms built into infrastructure software so that you can put, say, MongoDB on a public IP address and communicate in the open, you are operating your infrastructure completely unacceptably. There is absolutely zero excuse for not doing this right, and if MongoDB's default fucked you here, you're not doing it right in the first place. You wouldn't put your Nest thermostat on the Internet, so why is your primary data store? And, even worse, if you've "done it right" and thrown HTTP basic authentication in front of it, you get to put your hands on your hips and say "ha! we're secure!" but you're one bypass or weak password away from losing your entire database.
I agree with you on reconsidering MongoDB in production, but administrators failing to secure their systems is not why. Authenticating to a database is an antipattern. Stop making database vendors add this shit: HTTP basic authentication against your NoSQL hotness in prod, on a public IP, is a complete waste of time. Put it in RFC 1918 space or lock down security groups like everybody else and stop losing databases like this. That's what's unacceptable.
Seriously, this stuff is bananas. Now you have to ship passwords around in your automation because you can't be bothered to deploy a real DMZ and private network. Then you have to use Ansible Vault or whatever, and the complexity just rapidly multiplies.
You're missing the point. Listening on all interfaces was the default. Defaults should be secure and fail-closed, and that it takes them two years to patch that is extremely worrying.
I'm not missing your point. Your point is wrong. Listening on all interfaces is acceptable because this is infrastructure software, and wiring up MongoDB on a publicly accessible and unfiltered endpoint is an antipattern, authentication scheme or not. If you choose the shitty deployment, like public IPv4, it's on you to actively configure the software to support your shitty deployment.
The default that isn't secure is your expectation of secure software regardless of the accessibility of the endpoint. You don't get to punt those assurances to MongoDB and file "unacceptable" JIRAs to add some other lightly-reviewed authentication scheme to software that doesn't need it. It's on you as an administrator to secure your database, and step one is not default permit to an endpoint on which you can find your entire database. Let me guess, you want authentication via HTTP basic for all of your backend services but rolling a CA and doing TLS client auth is outside your budget and time?
I have been doing production operations for a while. There's two schools of thought: "the defaults are unacceptable," and "I should really be applying defense in depth to protect my infrastructure and own responsibility," and I actively hire the latter. There are a lot of the former, and we're seeing their databases in this post.
I wouldn't worry so much. What can you infer by that? It's completely normal that people working on database engines don't know that much about operational stuff like what network connections to listen to. The product I used to work on, for example, had this exact same misfeature. The real motivation for fixing it was that developer machines would be listening to the outside world, whenever we or our users ran tests and such. The idea that people would run it this way in production was completely foreign to me, personally.
I agree with you on reconsidering MongoDB in production, but administrators failing to secure their systems is not why. Authenticating to a database is an antipattern. Stop making database vendors add this shit: HTTP basic authentication against your NoSQL hotness in prod, on a public IP, is a complete waste of time. Put it in RFC 1918 space or lock down security groups like everybody else and stop losing databases like this. That's what's unacceptable.
Seriously, this stuff is bananas. Now you have to ship passwords around in your automation because you can't be bothered to deploy a real DMZ and private network. Then you have to use Ansible Vault or whatever, and the complexity just rapidly multiplies.