DataHub LDAP Ingestion Source TLS Downgrade Vulnerability Allowing MITM Attacks

A vulnerability in the LDAP ingestion source of DataHub, prior to version 1.3.1.8, allows for man-in-the-middle (MITM) attacks through a TLS downgrade. The issue arises because the LDAP source improperly validates TLS certificates, accepting connections even when validation fails. This flaw enables an attacker to intercept LDAPS credentials by presenting a rogue certificate. The vulnerability is exacerbated by the absence of a configuration option to specify trusted CA certificates, and the hardcoded setting that ignores validation failures.

Impact

Exploitation of this vulnerability could lead to unauthorized interception of LDAPS credentials, allowing an attacker to capture sensitive information transmitted over the LDAP connection.

Remediation

Users should update to DataHub version 1.3.1.8 or later. Additionally, ensure that the DataHub deployment only exposes necessary external services, ideally within a fully internal network between DataHub and the LDAP deployment.