2022-04-12 Addressing Security Weaknesses in the NGINX LDAP Reference Implementation
On 9 April 2022, security vulnerabilities in the NGINX LDAP reference implementation were publicly shared. NGINX team analyzed it and determined there is no issue at NGINX itself, it’s a problem related specifically to the NGINX-LDAP-AUTH component.
- Bitnami NGINX Helm chart from 5.6.0 version to 9.9.9. Version 10.0.0 fixes it.
- Bitnami NGINX Intel Helm chart from version 0.0.1 to 0.1.11. Version 1.0.0 fixes it.
It is important to highlight that although this container/functionality was included in those Helm charts, it was disabled by default and you can be affected only if you enabled it by deploying the Helm chart using the
ldapDaemon.enabled=true parameter, otherwise this container is not executed. If that is your case, please review the mitigation conditions NGINX team provided.
How To Patch it
We have updated all our README solutions to include extra information in case you use an affected version of bitnami/nginx or bitnami/nginx-intel Helm charts. In case you are enabling the LDAP authentication in an old version of those Helm charts, please read carefully the instructions we just updated.
Deprecation of the Bitnami nginx-ldap-auth-daemon container
Please note the deprecation of the bitnami/nginx-ldap-auth-daemon container was planned some time ago and it is not related to the security issue. We have a policy of not releasing on our side software that is not maintained by the upstream project (or the release cadence is not frequent).
The latest release in the upstream project dates from 31 Oct 2019 which doesn’t meet the previously mentioned policy hence the deprecation process was triggered on our side at the end of February.
In this case, a deprecation notice was added to the container README on 4th March (see this commit).
After a grace period of 1 month, the deprecation was executed and the container was removed from the Bitnami NGINX Helm chart in this PR. In the same way, the container repository archived with the following note in the README.
You can find more information about the security issue in the official notice.
Do you have more questions? Please post to our community forums so we can help you there.