Search Guard Suite 52.3
Release Date: 2021-09-16
This is a bug fix release for Search Guard 52.
Security Issues
Unreliable enable_start_tls option for ldap authcz module
The enable_start_tls option of the ldap authcz module was unreliable in earlier versions of Search Guard: If the ldap authcz module was configured with enable_start_tls: true, it would not upgrade the connection to TLS in some cases. If the LDAP server also accepted commands over unencrypted connections, this would have caused user names and passwords to be transmitted over unencrypted connections between an Elasticsearch node running Search Guard and the LDAP server. If the LDAP server refused commands over unencrypted connections, authentication would just fail.
Details: