A critical fix is available in Hazelcast Jet Enterprise 4.3 to address a security bug when using the out of the box LDAP Authentication, which was introduced with the initial 4.0 major version release.
All users of Hazelcast Jet Enterprise 4.0, 4.1, 4.1.1, 4.2 and using LDAP Authentication are at risk of this security flaw.
Root Cause Analysis
The `LdapLoginModule` doesn't do a proper LDAP bind when system-user-dn is used. As a result users (clients/members) can be authenticated even if they provide an invalid password. This issue also has a CVE entry with the ID CVE-2020-26168.
This issue was fixed in the Hazelcast Jet Enterprise 4.3 which was released on October 23rd, 2020. We recommend any users on Hazelcast Jet Enterprise 4.x and using LDAP authentication to update to Hazelcast Jet 4.3 or latter as soon as possible.