Security Notices

2022-04-12 Addressing Security Weaknesses in the NGINX LDAP Reference Implementation

On 9 April 2022, security vulnerabilities in the NGINX LDAP reference implementation were publicly shared. NGINX team analyzed it and determined there is no issue at NGINX itself, it’s a problem related specifically to the NGINX-LDAP-AUTH component.

Bitnami had the nginx-ldap-auth-daemon container based on the NGINX LDAP reference implementation as part of the catalog since it was used in the bitnami/nginx and bitnami/nginx-intel Helm charts.

Affected Platforms

  • Bitnami NGINX Helm chart from 5.6.0 version to 9.9.9. Version 10.0.0 fixes it.
  • Bitnami NGINX Intel Helm chart from version 0.0.1 to 0.1.11. Version 1.0.0 fixes it.

It is important to highlight that although this container/functionality was included in those Helm charts, it was disabled by default and you can be affected only if you enabled it by deploying the Helm chart using the ldapDaemon.enabled=true parameter, otherwise this container is not executed. If that is your case, please review the mitigation conditions NGINX team provided.

How To Patch it

The NGINX team provided some mitigation conditions and also on, 12th April, the NGING-LDAP-AUTH project worked on the mitigation of this issue security improvements

We have updated all our README solutions to include extra information in case you use an affected version of bitnami/nginx or bitnami/nginx-intel Helm charts. In case you are enabling the LDAP authentication in an old version of those Helm charts, please read carefully the instructions we just updated.

Deprecation of the Bitnami nginx-ldap-auth-daemon container

Please note the deprecation of the bitnami/nginx-ldap-auth-daemon container was planned some time ago and it is not related to the security issue. We have a policy of not releasing on our side software that is not maintained by the upstream project (or the release cadence is not frequent).

The latest release in the upstream project dates from 31 Oct 2019 which doesn’t meet the previously mentioned policy hence the deprecation process was triggered on our side at the end of February.

In this case, a deprecation notice was added to the container README on 4th March (see this commit).

After a grace period of 1 month, the deprecation was executed and the container was removed from the Bitnami NGINX Helm chart in this PR. In the same way, the container repository archived with the following note in the README.

You can find more information about the security issue in the official notice.

Do you have more questions? Please post to our community forums so we can help you there.

Last modification April 12, 2022