CVE-2020-26168 – This vulnerability allows authentication bypass... (How to Fix)

Q: What is the severity of CVE-2020-26168?

CVE-2020-26168 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows authentication bypass in Hazelcast IMDG Enterprise and Jet Enterprise when using LDAP authentication with system-user-dn configurations. Attackers can authenticate with invalid passwords, potentially gaining unauthorized access to cluster resources. Affects organizations using Hazelcast Enterprise 4.x with LDAP authentication enabled.

📋 TL;DR

This vulnerability allows authentication bypass in Hazelcast IMDG Enterprise and Jet Enterprise when using LDAP authentication with system-user-dn configurations. Attackers can authenticate with invalid passwords, potentially gaining unauthorized access to cluster resources. Affects organizations using Hazelcast Enterprise 4.x with LDAP authentication enabled.

💻 Affected Systems

Products:

Hazelcast IMDG Enterprise
Hazelcast Jet Enterprise

Versions: Hazelcast IMDG Enterprise 4.0, 4.0.1, 4.0.2; Hazelcast Jet Enterprise 4.0, 4.1, 4.1.1, 4.2

Operating Systems: All platforms running affected Hazelcast versions

Default Config Vulnerable: ✅ No

Notes: Only affects systems using LDAP authentication with system-user-dn configuration. Systems using other authentication methods or without LDAP enabled are not vulnerable.

📦 What is this software?

Hazelcast by Hazelcast

View all CVEs affecting Hazelcast →

Jet by Hazelcast

View all CVEs affecting Jet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster compromise allowing unauthorized users to access sensitive data, modify configurations, or disrupt operations across the entire Hazelcast cluster.

🟠

Likely Case

Unauthorized access to cluster data and operations by internal or external attackers who discover the vulnerability, potentially leading to data theft or service disruption.

🟢

If Mitigated

Limited impact if network segmentation, additional authentication layers, or monitoring detects unusual authentication attempts before exploitation.

🌐 Internet-Facing: HIGH - If Hazelcast clusters are exposed to the internet with LDAP authentication enabled, attackers can easily bypass authentication.

🏢 Internal Only: HIGH - Even internally, attackers with network access can bypass authentication to access sensitive cluster data and operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to Hazelcast cluster and knowledge that LDAP authentication is enabled. No special tools or complex techniques needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Hazelcast IMDG Enterprise 4.0.3 or later; Hazelcast Jet Enterprise 4.3 or later

Vendor Advisory: https://hazelcast.zendesk.com/hc/en-us/articles/360050161951--IMDG-Enterprise-4-0-4-0-1-4-0-2-LDAP-Authentication-Bypass

Restart Required: Yes

Instructions:

1. Download patched version from Hazelcast portal. 2. Stop all Hazelcast nodes. 3. Replace JAR files with patched versions. 4. Restart nodes. 5. Verify authentication works correctly.

🔧 Temporary Workarounds

Disable LDAP Authentication

all

Temporarily disable LDAP authentication until patching can be completed

Modify hazelcast.xml to remove or comment out <ldap> authentication configuration

Use Alternative Authentication

all

Switch to username/password or other authentication methods temporarily

Update hazelcast.xml to use <username-password> or other non-LDAP authentication

🧯 If You Can't Patch

Implement network segmentation to restrict access to Hazelcast clusters only to trusted systems
Enable additional authentication layers (VPN, firewall rules, IP whitelisting) and monitor authentication logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check hazelcast.xml configuration for LDAP authentication and verify version is in affected range. Test authentication with invalid credentials.

Check Version:

java -jar hazelcast-enterprise-*.jar --version

Verify Fix Applied:

After patching, attempt authentication with invalid LDAP credentials to confirm it's rejected. Verify version shows 4.0.3+ for IMDG or 4.3+ for Jet.

📡 Detection & Monitoring

Log Indicators:

Successful LDAP authentication with unusual timing or from unexpected IPs
Multiple failed authentication attempts followed by success from same source

Network Indicators:

LDAP authentication requests to Hazelcast clusters from unauthorized sources
Unusual data access patterns following authentication

SIEM Query:

source="hazelcast" AND (event="authentication_success" OR event="ldap_auth") AND NOT user IN allowed_users

📊 Metadata

CVE ID: CVE-2020-26168

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: November 9, 2020

Last Updated: November 21, 2024

🔗 References

https://docs.hazelcast.org/docs/ern/index.html#4-0-3 Release Notes,Vendor Advisory
https://hazelcast.zendesk.com/hc/en-us/articles/360050161951--IMDG-Enterprise-4-0-4-0-1-4-0-2-LDAP-Authentication-Bypass Vendor Advisory
https://hazelcast.zendesk.com/hc/en-us/articles/360051384932--JET-Enterprise-4-0-4-1-4-1-1-4-2-LDAP-Authentication-Bypass Vendor Advisory
https://jet-start.sh/blog/2020/10/23/jet-43-is-released Vendor Advisory
https://docs.hazelcast.org/docs/ern/index.html#4-0-3 Release Notes,Vendor Advisory
https://hazelcast.zendesk.com/hc/en-us/articles/360050161951--IMDG-Enterprise-4-0-4-0-1-4-0-2-LDAP-Authentication-Bypass Vendor Advisory
https://hazelcast.zendesk.com/hc/en-us/articles/360051384932--JET-Enterprise-4-0-4-1-4-1-1-4-2-LDAP-Authentication-Bypass Vendor Advisory
https://jet-start.sh/blog/2020/10/23/jet-43-is-released Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26168, you might also want to check these: