Security Alert #1: LDAP Authentication Issue - ArangoDB

Sign up for ArangoGraph Insights Platform

Before signing up, please accept our terms & conditions and privacy policy.

What to expect after you signup
You can try out ArangoDB Cloud FREE for 14 days. No credit card required and you are not obligated to keep using ArangoDB Cloud.

At the end of your free trial, enter your credit card details to continue using ArangoDB Cloud.

If you decide that ArangoDB Cloud is not (yet) for you, you can simply leave and come back later.

ACCEPT

Security Alert #1: LDAP Authentication Issue

Security Alert #1: LDAP Authentication Issue

Users and Customers running ArangoDB 3.2.17 or higher, 3.3.19 or higher, or 3.4.0-RC.3 or higher, are not affected by the issue described in this Security Alert.

This Security Alert only affects Users and Customers using LDAP to authenticate to ArangoDB (i.e. the ArangoDB option –ldap.enabled of your installation is set to true). If you are using the built-in, local ArangoDB authentication, you are not affected by the issue described below.

Issue Description

When ArangoDB is configured to use LDAP (–ldap.enabled is true), and under certain conditions, it might be possible to login into ArangoDB by passing a valid username (–server.username) and a blank password.

The root cause of this issue is linked to the fact that it is possible to configure an LDAP server to allow anonymous binds. These binds are done by specifying an empty password.

Issue Resolution

ArangoDB version 3.2.17 or higher, 3.3.19 or higher, and version 3.4.0-RC.3 or higher include a fix for the issue described in this Security Alert.

If you are using LDAP for authentication and your LDAP server uses empty passwords for anonymous binds it is therefore recommended to upgrade your ArangoDB installation to version 3.2.17 or higher, 3.3.19 or higher, or to version 3.4.0-RC.3 or higher.

Additional Questions

In case of any questions, please contact us. ArangoDB Customers can open a support ticket in our Support Platform.