Open vielmetti opened 2 years ago
This simply doesn't appear to have anything to do with nginx, seems to be an issue with https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon
nginx doesn't speak to LDAP except when compiled with a 3rd party module, the config changes noted to resolve this, namely setting "ldapDaemon.enabled" to false seems to be exclusive to that Bitnami stuff.
Hm. The @bitnami image appears to have lots of acknowledged vulnerabilities, at https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/issues/12 .
The image is also deprecated (6 days ago) at https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/pull/13 and https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/pull/13/commits/0bdbebd827e53eeb6f50fc53fcb17cf461227b86 - with the notice "Since the upstream project is not maintained, this image has been deprecated, and will no longer be maintained nor updated." Via @michield and @dgomzeleon and @mdhont .
The ID string from the Dockerfile is "nginx-ldap-auth-daemon" "0.20200116.0-11"
That shows up on the Bitnami site as https://bitnami.com/stack/nginx-ldap-auth-daemon/containers
It also shows in AWS as https://aws.amazon.com/marketplace/pp/prodview-ew2qkituery26
If it is a @bitnami issue we will eventually see a security update at https://docs.bitnami.com/aws/security/ (for AWS images) and https://docs.bitnami.com/general/security/ (general images).
The referenced unmaintained upstream is at https://github.com/nginxinc/nginx-ldap-auth . There is a referenced but unacknowledged and unpatched security issue described at https://github.com/nginxinc/nginx-ldap-auth/issues/93 which describes a "ldap query injection attack".
The last merged request in nginx-ldap-auth is dated Jan 16, 2020, merged by @vl-homutov .
At least it's not an issue with nginx server.
Has the vulnerability been reported to bitnami yet?
I have sent a link to this page to "hello@bitnami.com" (and alerted @bitnami to this issue). I don't have a better contact than that at the moment, their web site is silent as to how to report security issues.
Prompt response from @nginxinc but no response yet from @vmware (who acquired @bitnami and who I was directed to via an auto reply).
No word (yet) from @bitnami / @vmware in response.
Updates to @bitnami/charts relevant here https://github.com/bitnami/charts/commit/86e7b00a2dcdc6fa76b6317adbf4e4ae4d9c3f3e
https://github.com/bitnami/charts/pull/9645 is the relevant PR.
👋 from the Bitnami team, thanks for all the info; please let me clarify some items regarding this topic:
bitnami/nginx-ldap-auth-daemon
container deprecationPlease note the deprecation of the bitnami/nginx-ldap-auth-daemon
container was planned some time ago and it is not related to any security issue. We have a policy of not releasing on our side software that is not maintained by the upstream project (or the release cadence is not frequent).
The latest release in the upstream project dates from 31 Oct 2019 which doesn't meet the previously mentioned policy hence the deprecation process was triggered on our side at the end of February.
In this case, a deprecation notice was added to the container README on 4th March (https://github.com/bitnami/bitnami-docker-nginx-ldap-auth-daemon/commit/7737d2a3080f2dc060fc356d52c1c09fbbdb6b48):
Deprecation Notice
NGINX LDAP Auth daemon is no longer maintained by upstream and is now internally tagged as to be deprecated. This image will no longer be released in our catalog a month after this notice is published, but already released container images will still persist in the registries. Valid to be removed starting on: 03-25-2022
After this period, the deprecation was executed and the container was removed from the Bitnami NGINX Helm chart (https://github.com/bitnami/charts/pull/9645), as well the container repository itself was marked as archived with the following note in the README:
DEPRECATION NOTICE
Since the upstream project is not maintained, this image has been deprecated, and will no longer be maintained nor updated.
This bitnami/nginx-ldap-auth-daemon
container was bundled as part of a couple of Helm charts but it was disabled by default, users need to set the ldapDaemon.enabled=true
value in order to enable this functionality
This topic was clarified in the README, see https://github.com/bitnami/charts/blob/master/bitnami/nginx/README.md#to-1000
Apart from that, we have published a security notice post with the details of the affected versions and all the information needed for users to mitigate previous versions (according to the NGINX guidelines): https://docs.bitnami.com/general/security/security-2022-04-12
Don't hesitate to ping us if more clarifications are needed regarding this topic
This news broke on the weekend, and there is no CVE assigned (yet).
Eventually there will presumably be news at the NGINX security advisories site at https://nginx.org/en/security_advisories.html
That page says "All nginx security issues should be reported to security-alert@nginx.org."
Any release information will probably also get announced on the Twitter, https://twitter.com/nginxorg