Security Alert #1: LDAP Authentication Issue

Security Alert #1: LDAP Authentication Issue

Users and Customers running ArangoDB 3.2.17 or higher, 3.3.19 or higher, or 3.4.0-RC.3 or higher, are not affected by the issue described in this Security Alert.

This Security Alert only affects Users and Customers using LDAP to authenticate to ArangoDB (i.e. the ArangoDB option –ldap.enabled of your installation is set to true). If you are using the built-in, local ArangoDB authentication, you are not affected by the issue described below.

Issue Description

When ArangoDB is configured to use LDAP (–ldap.enabled is true), and under certain conditions, it might be possible to login into ArangoDB by passing a valid username (–server.username) and a blank password.

The root cause of this issue is linked to the fact that it is possible to configure an LDAP server to allow anonymous binds. These binds are done by specifying an empty password.

Issue Resolution

ArangoDB version 3.2.17 or higher, 3.3.19 or higher, and version 3.4.0-RC.3 or higher include a fix for the issue described in this Security Alert.

If you are using LDAP for authentication and your LDAP server uses empty passwords for anonymous binds it is therefore recommended to upgrade your ArangoDB installation to version 3.2.17 or higher, 3.3.19 or higher, or to version 3.4.0-RC.3 or higher.

Additional Questions

In case of any questions, please contact us. ArangoDB Customers can open a support ticket in our Support Platform.

Do you like ArangoDB?
icon-githubStar this project on GitHub.
close-link