OVERLAPS Security Update 3.1.2
We have just released a minor security update for OVERLAPS which we are recommending all clients currently on version 3.1 or higher to install. Full details and the mitigation steps can be found below.
The issue relates to the LDAPS (LDAP-over-SSL) systems which were implemented in update 18.104.22.168, and may result in a situation where this occasionally fails over to a regular LDAP connection during the initial connection phase under certain non-default circumstances.
However, it is important to point out that this does not occur while actually transferring data between OVERLAPS and Active Directory.
The following versions of OVERLAPS have been identified as at-risk:
Should I be Concerned?
We take all security issues with the utmost seriousness. However, this particular issue shouldn’t raise any significant concerns because:
- By design it would only happen during the connection phase, not while transferring sensitive data such as Local Administrator passwords.
- Even over a regular LDAP connection, Active Directory encrypts internal domain connections with Kerberos.
- This would only effect configurations where the default Directory Connection Priority setting has been changed from its default setting of “Directory Searcher” to “LDAP”, or where “LDAP” has been selected as the Backup Failover Connection. Neither of which are currently recommended.
However, as with all security concerns (big or small), we recommend all customers currently on version 3.1 or above to install the 3.1.2 update to address this potential issue.
Our recommended process to mitigate the issue is as follows:
- Check your currently installed version against the “Effected Version” list above to see if you need to take action. The version is displayed in the footer of each page within OVERLAPS.
- In OVERLAPS, under Config -> Website Settings -> Active Directory -> Domain Connection Priority, ensure that “Directory Searcher” is selected for all three First Priority connections.
- In the same section, ensure that “None” is selected for the Backup Failover Connection for all three options. “LDAP” should not appear selected in any of the boxes.
- Install the 22.214.171.124 update at your earliest convenience.
While not a significant threat, and due to the specific non-standard configuration that it requires, this is unlikely to effect any of our clients. However, we have addressed this as a priority in putting this notice and update out, as we would any actual or potential security concern.
If you have any concerns or questions, please contact us by email at email@example.com.
Like the article? Share with your friends: