In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query.
“This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.”
¶ Is Artica is affected ?
Artica Proxy uses the OpenLDAP engine in two ways:
- When using Artica Proxy with local LDAP authentication
- When using Artica SMTP with local LDAP authentication
- When managing a database user using OpenLDAP database
In all cases, the use of the back-sql module is not yet supported and the server is not impacted with Artica 4.30x or 4.40x
¶ If Artica is not affected, why displaying this message ?
This message has been added in versions 4.40 Service Pack 24 and 4.50x.
Some customers use vulnerability scanner tools.
These tools do not care if the software is running and is able to open the vulnerability.
If the software version is lower than the version that fixes the vulnerability, then they consider the Artica server to be vulnerable.
In order for these tools to stop reporting the issue, Artica allows you to update the software by clicking on the "Fix It" button.