Release Date: 14 October 2018
ONgDB 3.4.9 is a maintenance release with an important security fix and some fixes.
|Windows 64 bit||ongdb-enterprise-3.4.9-windows.zip|
|Windows 32 bit||
ONgDB 3.4.9 Docker Hub
ONgdB 3.4.x LDAP Security Vulnerability when using StartTLS and System Account
We have very recently discovered a bug that results in a security vulnerability in ONgDB 3.4 versions that use LDAP authentication with StartTLS and use a System Account for authentication. The issue was reported in GitHub issue 12047.
We have fixed this issue in ONgDB 3.4.9, which we advise you to upgrade to as soon as possible.
Scope: This affects all ONgDB 3.4.x versions that use LDAP for authentication, and have configured to use StartTLS (dbms.security.ldap.use_starttls=true) and are using System Account (dbms.security.ldap.authorization.use_system_account=true). Note, that both of these settings are false by default, so only those who have explicitly set these are affected. Users of LDAPS are not affected. Earlier versions of ONgDB are also not affected.
Workaround: It’s possible to work around the issue without upgrading the software. To do this, comment out the “use StartTLS” configuration parameter in the ONgDB.conf file on all ONgDB 3.4.x servers in your cluster and restart each instance for this to take effect. This can be done in a rolling fashion without downtime. Later, once you are able to upgrade to 3.4.9, upgrade to that version (in a rolling fashion if in a clustered environment), uncomment the configuration parameter to enable StartTLS, and restart the database.
Other Fixes and Improvements
- Incremental online backup now leaves the resulting backed up store in a fully recovered state. This fixes problems with seeding a Causal Cluster with a store from an incremental online backup.
- Cypher fix for
when using slotted runtime
- Browser now correctly handles
in clustered environments when not all members could be reached