A Clarification on the Apache LDAP API 1.0.2 Release

I’ve received an update on the Apache LDAP API version 1.0.2 release that I mentioned in a previous post. The most critical update in this release is a security fix that addresses CVE-2018-1337, in which a race condition made it possible for a plaintext request to be sent over a connection after the StartTLS extended operation had been initiated but before the security layer had actually been applied to that connection. It sounds like this primarily affects connections associated with a connection pool that were released to the pool and made available for use before the TLS security layer was entirely in place.

It seems that the 1.0.1 release of the API included a workaround for the problem, while the 1.0.2 release includes the real fix, which explains the same problem description appearing in both the 1.0.1 and 1.0.2 release announcements.

If you’re using the Apache LDAP API, you’re encouraged to update to the 1.0.2 release as quickly as possible.

Editor’s note: I have since learned that the problem is not limited to the StartTLS extended operation, and that it affects all uses of SSL/TLS.