Release Date: 14 October 2018Neo4j 3.4.9 is a maintenance release with an important security fix and some fixes.
Neo4j Enterprise 3.4.x LDAP Security Vulnerability when using StartTLS and System Account
We have very recently discovered a bug that results in a security vulnerability in Neo4j 3.4 versions that use LDAP authentication with StartTLS and use a System Account for authentication. The issue was reported in GitHub issue 12047.
We have fixed this issue in Neo4j 3.4.9, which we advise you to upgrade to as soon as possible.
Scope: This affects all Neo4j Enterprise 3.4.x versions that use LDAP for authentication, and have configured to use StartTLS (dbms.security.ldap.use_starttls=true) and are using System Account (dbms.security.ldap.authorization.use_system_account=true). Note, that both of these settings are false by default, so only those who have explicitly set these are affected. Users of LDAPS are not affected. Earlier versions of Neo4j are also not affected.
Workaround: It’s possible to work around the issue without upgrading the software. To do this, comment out the “use StartTLS” configuration parameter in the neo4j.conf file on all Neo4j 3.4.x Enterprise servers in your cluster and restart each instance for this to take effect. This can be done in a rolling fashion without downtime. Later, once you are able to upgrade to 3.4.9, upgrade to that version (in a rolling fashion if in a clustered environment), uncomment the configuration parameter to enable StartTLS, and restart the database.
Other Fixes and Improvements
- Incremental online backup now leaves the resulting backed up store in a fully recovered state. This fixes problems with seeding a Causal Cluster with a store from an incremental online backup.
- Cypher fix for
ORDER BY + LIMIT 0when using slotted runtime
- Browser now correctly handles
:queriesin clustered environments when not all members could be reached