- Status: Fixed in 1.5.6
We were made aware of a vulnerability in our LDAP integration, for on-premises customers using
AUTHENTICATION_METHOD=ldap with an LDAP service allowing anonymous bind; it is not relevant for customers using the
ldap-search authentication method. This is a problem for all releases prior to 1.5.6.
- Users logging in with an empty password with such a configuration would be let in without further authentication which is a surprising side effect of the default configuration for some ldap products (see description here: https://ldap.com/ldapv3-wire-protocol-reference-bind/#simple-bind-operation)
- operators can search for
#type=humio loglevel=INFO class=*LdapBindLocalLogin @rawstring="*=0"in the humio repository to identify potential breaches.
No customers on our cloud services were affected by this bug. Initially, we only disclosed this to the customers we knew were utilizing a configuration where this could be a problem.