Summary

A critical fix is available in Hazelcast Enterprise 4.0.3 to address a security bug when using the out of the box LDAP Authentication, which was introduced with the initial 4.0 major version release.

Risk Assessment

All users of Hazelcast Enterprise 4.0, 4.0.1 and 4.0.2 and using LDAP Authentication are at risk of this security flaw.

Root Cause Analysis

The `LdapLoginModule` doesn't do a proper LDAP bind when system-user-dn is used. As a result users (clients/members) can be authenticated even if they provide an invalid password. This issue also has a CVE entry with the ID CVE-2020-26168.

Resolution

This issue was fixed in the Hazelcast Enterprise 4.0.3 which was released on September 21st, 2020. We recommend any users on Hazelcast Enterprise 4.0, Hazelcast Enterprise 4.0.1 or Hazelcast Enterprise 4.0.2 and using LDAP authentication to update as soon as possible.