1.5.6 Security Release (2019-04-04)

• Status: Fixed in 1.5.6

We were made aware of a vulnerability in our LDAP integration, for on-premises customers using AUTHENTICATION_METHOD=ldap with an LDAP service allowing anonymous bind; it is not relevant for customers using the ldap-search authentication method. This is a problem for all releases prior to 1.5.6.

• Users logging in with an empty password with such a configuration would be let in without further authentication which is a surprising side effect of the default configuration for some ldap products (see description here: https://ldap.com/ldapv3-wire-protocol-reference-bind/#simple-bind-operation)
• operators can search for #type=humio loglevel=INFO class=*LdapBindLocalLogin @rawstring="*=0" in the humio repository to identify potential breaches.

No customers on our cloud services were affected by this bug. Initially, we only disclosed this to the customers we knew were utilizing a configuration where this could be a problem.