Critical Security Update for Samba

The Samba team discovered a critical vulnerablity in the access control of Samba/AD domain controllers.

Any authenticated user can change other users’ passwords over LDAP, including the passwords of administrative users (CVE-2018-1057).

We strongly advise all customers to install the updated Samba packages distributed via the usual errata update channels for all UCS versions currently supported (UCS 4.1-5 and UCS 4.2-3). The UCS 4.3-0 release will also ship a version of Samba patched against this issue.

For customers that cannot update in due time, possible workarounds are described on this dedicated page in the Samba wiki:

Status in UCS:

  • 2018-03-13: Erratum 312 has been announced for UCS 4.2
  • 2018-03-13: Erratum 499 has been announced for UCS 4.1
1 Like