CVE assignment, contact information

[vielmetti]

This news broke on the weekend, and there is no CVE assigned (yet).

Eventually there will presumably be news at the NGINX security advisories site at https://nginx.org/en/security_advisories.html

That page says "All nginx security issues should be reported to security-alert@nginx.org."

Any release information will probably also get announced on the Twitter, https://twitter.com/nginxorg

[phillipseamore]

This simply doesn't appear to have anything to do with nginx, seems to be an issue with https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon

nginx doesn't speak to LDAP except when compiled with a 3rd party module, the config changes noted to resolve this, namely setting "ldapDaemon.enabled" to false seems to be exclusive to that Bitnami stuff.

[vielmetti]

Hm. The @bitnami image appears to have lots of acknowledged vulnerabilities, at https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/issues/12 .

The image is also deprecated (6 days ago) at https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/pull/13 and https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/pull/13/commits/0bdbebd827e53eeb6f50fc53fcb17cf461227b86 - with the notice "Since the upstream project is not maintained, this image has been deprecated, and will no longer be maintained nor updated." Via @michield and @dgomzeleon and @mdhont .

The ID string from the Dockerfile is "nginx-ldap-auth-daemon" "0.20200116.0-11"

That shows up on the Bitnami site as https://bitnami.com/stack/nginx-ldap-auth-daemon/containers

It also shows in AWS as https://aws.amazon.com/marketplace/pp/prodview-ew2qkituery26

[vielmetti]

If it is a @bitnami issue we will eventually see a security update at https://docs.bitnami.com/aws/security/ (for AWS images) and https://docs.bitnami.com/general/security/ (general images).

[vielmetti]

The referenced unmaintained upstream is at https://github.com/nginxinc/nginx-ldap-auth . There is a referenced but unacknowledged and unpatched security issue described at https://github.com/nginxinc/nginx-ldap-auth/issues/93 which describes a "ldap query injection attack".

The last merged request in nginx-ldap-auth is dated Jan 16, 2020, merged by @vl-homutov .

[phillipseamore]

At least it's not an issue with nginx server.

[denizcevik]

https://github.com/nginxinc/nginx-ldap-auth/issues/81

[slw07g]

Has the vulnerability been reported to bitnami yet?

[vielmetti]

I have sent a link to this page to "hello@bitnami.com" (and alerted @bitnami to this issue). I don't have a better contact than that at the moment, their web site is silent as to how to report security issues.

[vielmetti]

Prompt response from @nginxinc but no response yet from @vmware (who acquired @bitnami and who I was directed to via an auto reply).

[vielmetti]

3 is the update from @nginxinc - at https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/ and prominently for the moment on top of their blog.

No word (yet) from @bitnami / @vmware in response.

[vielmetti]

Updates to @bitnami/charts relevant here https://github.com/bitnami/charts/commit/86e7b00a2dcdc6fa76b6317adbf4e4ae4d9c3f3e

https://github.com/bitnami/charts/pull/9645 is the relevant PR.

[carrodher]

👋 from the Bitnami team, thanks for all the info; please let me clarify some items regarding this topic:

bitnami/nginx-ldap-auth-daemon container deprecation

Please note the deprecation of the bitnami/nginx-ldap-auth-daemon container was planned some time ago and it is not related to any security issue. We have a policy of not releasing on our side software that is not maintained by the upstream project (or the release cadence is not frequent).

The latest release in the upstream project dates from 31 Oct 2019 which doesn't meet the previously mentioned policy hence the deprecation process was triggered on our side at the end of February.

In this case, a deprecation notice was added to the container README on 4th March (https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/commit/7737d2a3080f2dc060fc356d52c1c09fbbdb6b48):

Deprecation Notice

NGINX LDAP Auth daemon is no longer maintained by upstream and is now internally tagged as to be deprecated. This image will no longer be released in our catalog a month after this notice is published, but already released container images will still persist in the registries. Valid to be removed starting on: 03-25-2022

After this period, the deprecation was executed and the container was removed from the Bitnami NGINX Helm chart (https://github.com/bitnami/charts/pull/9645), as well the container repository itself was marked as archived with the following note in the README:

DEPRECATION NOTICE

Since the upstream project is not maintained, this image has been deprecated, and will no longer be maintained nor updated.

Security incident

This bitnami/nginx-ldap-auth-daemon container was bundled as part of a couple of Helm charts but it was disabled by default, users need to set the ldapDaemon.enabled=true value in order to enable this functionality

This topic was clarified in the README, see https://github.com/bitnami/charts/blob/master/bitnami/nginx/README.md#to-1000

Apart from that, we have published a security notice post with the details of the affected versions and all the information needed for users to mitigate previous versions (according to the NGINX guidelines): https://docs.bitnami.com/general/security/security-2022-04-12

---

Don't hesitate to ping us if more clarifications are needed regarding this topic