Release Date: October 14, 2018
ONgDB 3.4.9 is a maintenance release with many important improvements and fixes. Chiefly, it fixes an LDAP security bug described below.
ONgDB 3.4.x LDAP Security Vulnerability when using StartTLS and System Account
We have very recently discovered a bug that results in a security vulnerability in ONgDB 3.4 versions that use LDAP authentication with StartTLS and use a System Account for authentication. The issue was reported in GitHub issue 12047.
This issue has been fixed in ONgDB 3.4.9, which we advise you to upgrade to as soon as possible.
Scope: This affects all ONgDB 3.4.x versions that use LDAP for authentication, and have configured to use StartTLS (dbms.security.ldap.use_starttls=true) and are using System Account (dbms.security.ldap.authorization.use_system_account=true). Note, that both of these settings are false by default, so only those who have explicitly set these are affected. Users of LDAPS are not affected. Earlier versions of ONgDB are also not affected.
Workaround: It’s possible to work around the issue without upgrading the software. To do this, comment out the “use StartTLS” configuration parameter in the neo4j.conf file on all ONgDB 3.4.x servers in your cluster and restart each instance for this to take effect. This can be done in a rolling fashion without downtime. Later, once you are able to upgrade to 3.4.9, upgrade to that version (in a rolling fashion if in a clustered environment), uncomment the configuration parameter to enable StartTLS, and restart the database.
Other Fixes and Improvements
- Incremental online backup now leaves the resulting backed up store in a fully recovered state. This fixes problems with seeding a Causal Cluster with a store from an incremental online backup.
- Cypher fix for ORDER BY + LIMIT 0when using slotted runtime
- Browser now correctly handles :queries in clustered environments when not all members could be reached
Detailed Changes and Docs
Download ONgDB 3.4.9