A critical fix is available in Hazelcast Enterprise 4.0.3 to address a security bug when using the out of the box LDAP Authentication, which was introduced with the initial 4.0 major version release.
All users of Hazelcast Enterprise 4.0, 4.0.1 and 4.0.2 and using LDAP Authentication are at risk of this security flaw.
Root Cause Analysis
The `LdapLoginModule` doesn't do a proper LDAP bind when system-user-dn is used. As a result users (clients/members) can be authenticated even if they provide an invalid password. This issue also has a CVE entry with the ID CVE-2020-26168.
This issue was fixed in the Hazelcast Enterprise 4.0.3 which was released on September 21st, 2020. We recommend any users on Hazelcast Enterprise 4.0, Hazelcast Enterprise 4.0.1 or Hazelcast Enterprise 4.0.2 and using LDAP authentication to update as soon as possible.