The Samba team discovered a critical vulnerablity in the access control of Samba/AD domain controllers.
Any authenticated user can change other users’ passwords over LDAP, including the passwords of administrative users (CVE-2018-1057).
We strongly advise all customers to install the updated Samba packages distributed via the usual errata update channels for all UCS versions currently supported (UCS 4.1-5 and UCS 4.2-3). The UCS 4.3-0 release will also ship a version of Samba patched against this issue.
For customers that cannot update in due time, possible workarounds are described on this dedicated page in the Samba wiki:
Status in UCS: