CVE-2021-36152

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

Apache Gobblin versions <=0.15.0 trust all certificates for LDAP connections in Gobblin-as-a-Service, disabling TLS certificate validation. This allows man-in-the-middle attackers to intercept and potentially manipulate LDAP traffic. All users running affected versions of Gobblin-as-a-Service are vulnerable.

💻 Affected Systems

Products:

• Apache Gobblin

Versions: <=0.15.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Gobblin-as-a-Service component when using LDAP connections.

📦 What is this software?

Gobblin by Apache

View all CVEs affecting Gobblin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept LDAP authentication traffic, steal credentials, impersonate users, or inject malicious data into LDAP communications, potentially leading to full system compromise.

🟠

Likely Case

Credential theft through LDAP interception, allowing unauthorized access to Gobblin-as-a-Service and potentially downstream systems.

🟢

If Mitigated

If proper network segmentation and monitoring are in place, impact may be limited to credential exposure without lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to intercept LDAP traffic between Gobblin and LDAP server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.16.0

Vendor Advisory: https://lists.apache.org/thread/3bxf7rbf4zh95r78jtgth6gwhr5fyl2j

Restart Required: Yes

Instructions:

1. Download Apache Gobblin 0.16.0 or later from official Apache repository. 2. Stop Gobblin-as-a-Service. 3. Replace existing installation with patched version. 4. Restart Gobblin-as-a-Service.

🔧 Temporary Workarounds

Disable LDAP authentication

all

Temporarily disable LDAP authentication in Gobblin-as-a-Service configuration

Copy

Edit configuration file to use alternative authentication method or disable authentication

Network segmentation

all

Isolate Gobblin-as-a-Service and LDAP server on protected network segment

🧯 If You Can't Patch

• Implement strict network controls between Gobblin-as-a-Service and LDAP server
• Monitor LDAP traffic for anomalies and potential interception attempts

🔍 How to Verify

Check if Vulnerable:

Copy

Check Gobblin version: grep 'gobblin.version' in configuration files or run 'gobblin --version' if available

Check Version:

Copy

grep -i version /path/to/gobblin/config/*.properties 2>/dev/null || find / -name '*gobblin*' -type f -exec grep -l 'version' {} \; 2>/dev/null

Verify Fix Applied:

Copy

Confirm version is 0.16.0 or higher and verify LDAP connections now validate certificates

📡 Detection & Monitoring

Log Indicators:

• LDAP connection failures after patch
• Certificate validation errors in logs

Network Indicators:

• Unencrypted or suspicious LDAP traffic patterns
• Unexpected LDAP connections

SIEM Query:

Copy

source="gobblin" AND (event="ldap_connection" OR event="authentication")

📊 Metadata

CVE ID: CVE-2021-36152

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: February 4, 2022

Last Updated: November 21, 2024

🔗 References

• https://lists.apache.org/thread/3bxf7rbf4zh95r78jtgth6gwhr5fyl2j Mailing List,Vendor Advisory
• https://lists.apache.org/thread/3bxf7rbf4zh95r78jtgth6gwhr5fyl2j Mailing List,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON