- Status: Fixed in 1.5.6
We were made aware of a vulnerability in our LDAP integration, for on-premises customers using AUTHENTICATION_METHOD=ldap
with an LDAP service allowing anonymous bind; it is not relevant for customers using the ldap-search
authentication method. This is a problem for all releases prior to 1.5.6.
- Users logging in with an empty password with such a configuration would be let in without further authentication which is a surprising side effect of the default configuration for some ldap products (see description here: https://ldap.com/ldapv3-wire-protocol-reference-bind/#simple-bind-operation)
- operators can search for
#type=humio loglevel=INFO class=*LdapBindLocalLogin @rawstring="*=0"
in the humio repository to identify potential breaches.
No customers on our cloud services were affected by this bug. Initially, we only disclosed this to the customers we knew were utilizing a configuration where this could be a problem.
Comments
0 comments
Article is closed for comments.