Critical Fixes

This release of PingDirectory Server addresses critical issues from earlier versions. Update all affected servers appropriately.

  • Addressed an issue where replication could incorrectly detect a backlog that never clears when updating from a pre-7.3 to a 7.3 or later version. This issue requires that servers were previously removed from the topology, and it has been seen rarely.
    • Fixed in: 7.3.0.5
    • Introduced in: 7.3.0.0
    • Support identifiers: DS-40955
  • Fixed an issue that could cause the server to report an "Unable to decode a blacklist key" error while trying to open a local DB backend after an unclean shutdown.
    • Fixed in: 7.3.0.5
    • Introduced in: 7.2.0.0
    • Support identifiers: DS-40788
  • The following enhancements were made to the topology manager to make it easier to diagnose the connection errors described in PDSTAGING-570:
    • Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
    • Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.
      • Fixed in: 7.3.0.0
      • Introduced in: 7.0.0.0
      • Support identifiers: DS-38334 PDSTAGING-570 SF#00655578
  • The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared as soon as there is connection symmetry
    • Fixed in: 7.3.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38344 PDSTAGING-570 SF#00655578
  • The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
    • Fixed in: 7.3.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38335 PDSTAGING-570 SF#00655578
  • Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
    • When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
    • When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.

    In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.

    We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.

    • Fixed in: 7.3.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38897 DS-38908
  • The following enhancements were made to the topology manager to make it easier to diagnose the connection errors:
    • Added monitoring information for all the failed outbound connections (including the time since it's been failing and the last error message seen when the failure occurred) from a server to one of its configured peers and the number of failed outbound connections.
    • Added alarms/alerts for when a server fails to connect to a peer server within a configured grace period.

    Fixed in: 7.2.1.0

    Introduced in: 7.0.0.0

    Support identifiers: DS-38334 SF#00655578

  • The topology manager will now raise a mirrored-subtree-manager-connection-asymmetry alarm when a server is able to establish outbound connections to its peer servers, but those peer servers are unable to establish connections back to the server within the configured grace period. The alarm is cleared when connection symmetry is achieved.
    • Fixed in: 7.2.1.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38344 SF#00655578
  • The dsreplication tool has been fixed to work when the node being used to enable replication is currently out-of-sync with the topology master.
    • Fixed in: 7.2.1.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-38335 SF#00655578
  • Addressed an issue where an InvalidKeyException could occasionally be reported by import-ldif. The error message for this problem resembles, "An unexpected error occurred during merge processing for index 'dc_example_dc_com_sn.equality': InvalidKeyException: The provided passphrase is invalid."
    • Fixed in: 7.2.0.0
    • Introduced in: 7.0.0.0
    • Support identifiers: DS-37313
  • Fixed two issues in which the server could have exposed some clear-text passwords in files on the server file system.
    • When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key (which may have been obtained from an encryption settings definition) could have been inadvertently written into the backup descriptor. This problem does not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
    • When running certain command-line tools with an argument instructing the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. Affected tools include backup, create-initial-config, create-initial-proxy-config, dsreplication, enter-lockdown-mode, export-ldif, import-ldif, ldappasswordmodify, leave-lockdown-mode, manage-tasks, manage-topology, migrate-ldap-schema, parallel-update, prepare-endpoint-server, prepare-external-server, realtime-sync, rebuild-index, re-encode-entries, reload-http-connection-handler-certificates, reload-index, remove-defunct-server, restore, rotate-log, and stop-server. Other tools are not affected. Also note that this only includes passwords contained in files that were provided as command-line arguments; passwords included in the tools.properties file, or in a file referenced from tools.properties, would not have been exposed.

    In each of these cases, the files would have been written with permissions that make their contents only accessible to the system account used to run the server. Further, while administrative passwords may have been exposed in the tool invocation log, neither the passwords for regular users, nor any other data from their entries, should have been affected. We have introduced new automated tests to help ensure that such incidents do not occur in the future.

    We recommend changing any administrative passwords you fear may have been compromised as a result of this issue. If you are concerned that the passphrase for an encryption settings definition may have been exposed, then we recommend creating a new encryption settings definition that is preferred for all subsequent encryption operations, exporting your data to LDIF, and re-importing so that it will be encrypted with the new key. You also may wish to re-encrypt or destroy any existing backups, LDIF exports, or other data encrypted with a compromised key, and you may wish to sanitize or destroy any existing tool invocation log files that may contain clear-text passwords.

    Fixed in: 7.0.1.3

    Introduced in: 7.0.0.0

    Support identifiers: DS-38897 DS-38908

  • Addressed an issue in "dsreplication enable/initialize" that prevented servers from some previous versions (5.2.0.5 and earlier and 6.0.0.*) from initializing newer servers. Servers from these prior versions can now be used to enable replication with current versions of the server.
    • Fixed in: 7.0.0.0
    • Introduced in: 5.2.0.5
    • Support identifiers: DS-35528 SF#624368
  • Fixed a very rare race condition with the Frequently Accessed Entry Cache which could lead to an index being marked as degraded and requiring a rebuild.

    The problem is unlikely to happen outside of testing environments since it requires modifying a single entry over 1000 times per second across multiple servers concurrently.

    • Fixed in: 7.0.0.0
    • Introduced in: 5.2.0.6
    • Support identifiers: DS-35616 SF#00625189
  • Addressed an issue where an index key could incorrectly be reported as exceeding the index-entry-limit after one billion entries had been imported or added to the directory server. The directory server does not need to contain one billion entries at the same time to be affected by this issue since the entry ID will always increase for each added entry even if entries are deleted. Environments that have experienced this issue should export and reimport their data after applying this patch.
    • Fixed in: 7.0.0.0
    • Introduced in: 2.0.0.0
    • Support identifiers: DS-35790 SF#00625942
  • Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.
    • Fixed in: 6.2.0.0

    • Introduced in: 5.2.0.3

    • Support identifiers: DS-17074

  • Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.
    • Fixed in: 6.2.0.0

    • Introduced in: 2.1.4.0

    • Support identifiers: DS-17237 SF#3746

  • Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.
    • Fixed in: 6.2.0.0

      Introduced in: 5.0.0.0

      Support identifiers: DS-12216

  • Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where
    1. Server B had not received changes directly from a client for a long time (beyond the purge delay),
    2. Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,
    3. Server A is shutdown, and
    4. While Server A is shutdown, the Server B processes one or more changes directly from the client.

    Fixed in: 6.2.0.0

    Introduced in: 3.5.0.0

    Support identifiers: DS-18035 SF#00614612

  • Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).
    • Fixed in: 6.2.0.0

      Introduced in: 6.0.1.0

      Support identifiers: DS-18070

  • Fixed an issue that could allow users with locked accounts to change their own passwords using the password modify extended operation.
    • Fixed in: 6.2.0.0

      Introduced in: 5.2.0.3

      Support identifiers: DS-17074

  • Addressed an issue specific to entry-balanced environments where changes received through replication are applied in the incorrect backend. This can occur if a restricted domain is disabled prior to disabling the global domain. With the restricted domain disabled, the affected server could apply the changes originally targeted for the restricted domain in the global domain. In addition, other servers in the topology will reset their generation ID for the restricted domain.
    • Fixed in: 6.2.0.0

      Introduced in: 2.1.4.0

      Support identifiers: DS-17237 SF#3746

  • Added an alarm at warning level to notify if any of the important JVM startup arguments are missing or misconfigured.
    • Fixed in: 6.2.0.0

      Introduced in: 5.0.0.0

      Support identifiers: DS-12216

  • Addressed an issue where a server could incorrectly report missed replication changes at startup in rare circumstances. Server A could report missed changes at startup where
    1. Server B had not received changes directly from a client for a long time (beyond the purge delay),
    2. Since the last successful change, Server B had processed an operation from a client that made it deep enough in the operation processing to generate a change sequence number (CSN) but that operation was later rejected by the server,
    3. Server A is shutdown, and
    4. While Server A is shutdown, the Server B processes one or more changes directly from the client.

    Fixed in: 6.2.0.0

    Introduced in: 3.5.0.0

    Support identifiers: DS-18035 SF#00614612

  • Fixed an issue that could prevent the server from properly closing a database transaction under a sustained load of heavily conflicting write operations on a system that is processing those operations at an abnormally slow rate (for example, if the database is not cached and the disk subsystem is completely saturated).
    • Fixed in: 6.2.0.0

      Introduced in: 6.0.1.0

      Support identifiers: DS-18070

  • Fixed an issue where opening the backend database might fail with an IllegalStateException that references "exploded-index-background-deletes" when there are several backend exploded indexes.
    • Fixed in: 6.0.0.0

      Introduced in: 4.6.0.0

      Support identifiers: DS-15094

  • The server can now detect an "out of file handles" situation on the operating system, and shut down to prevent running in an unreliable state.
    • Fixed in: 5.1.0.0

      Introduced in: 2.1.0.0

      Support identifiers: DS-12579 SF#2655

  • Added a fail safe to the pending changes queue for the Changelog Backend that can detect and ignore recovered changes that do not need to be committed in order to prevent holding up other changes in the queue.
    • Fixed in: 5.0.0.0

      Introduced in: 4.5.1.0

      Support identifiers: DS-11720 SF#2453

  • Disabled support for SSLv3 by default in the LDAP, HTTP, and JMX connection handlers, and for replication communication. The recently-discovered POODLE vulnerability could potentially allow a network attacker to determine the plaintext behind an SSLv3-encrypted session, which would effectively negate the primary benefit of the encryption.
    • SSLv3 was initially defined in 1996, but was supplanted by the release of the TLSv1 definition in 1999 (and subsequently by TLSv1.1 in 2006 and TLSv1.2 in 2008). These newer TLS protocols are not susceptible to the POODLE vulnerability, and the server has supported them (and preferred them over SSLv3) for many years. The act of disabling SSLv3 by default should not have any adverse effect on clients that support any of the newer TLS protocols. However, if there are any legacy client applications that attempt to communicate securely but do not support the newer TLS protocols, they should be updated to support the newer protocols. In the event that there are known clients that do not support any security protocol newer than SSLv3 and that cannot be immediately updated to support a newer protocol, SSLv3 support can be re-enabled using the newly-introduced allowed-insecure-tls-protocol global configuration property. However, since communication using SSLv3 can no longer be considered secure, it is strongly recommended that every effort be made to update all known clients still using SSLv3.

      It is possible to use the server access log to identify LDAP clients that use SSLv3 to communicate with the server. Whenever an LDAP client establishes a secure connection to the server, or whenever a client uses the StartTLS extended operation to secure an existing plaintext connection, the server will generate a SECURITY-NEGOTIATION access log message. The "protocol" element of a SECURITY-NEGOTIATION access log message specifies the name of the security protocol that has been negotiated between the client and the server, and any SECURITY-NEGOTIATION messages with a protocol of "SSLv3" suggest that the associated client is vulnerable to the POODLE attack. In addition, if any connections are terminated for attempting to use the disallowed SSLv3 protocol, the access log message for that disconnect should include a message stating the reason for the termination.

      • Fixed in: 5.0.0.0

        Introduced in: 2.1.0.0

        Support identifiers: DS-11782

  • Fixed a problem that could interfere with access to an exploded attribute index after performing an online index rebuild for that attribute.
    • Fixed in: 4.6.0.0
    • Introduced in: 4.5.1.0
    • Support identifiers: DS-10470
  • Fix a bug in low level protocol buffer that could result in "uncaught exception" errors.
    • Fixed in: 4.5.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-9268 SF#2002
  • Improve server stability by disabling explicit garbage collections that were being caused by JMX connections.
    • Fixed in: 4.0.0.0
    • Introduced in: 3.5.0.0
    • Support identifiers: DS-7633
  • Fix a bug in the LDAP Changelog where the changelog index manager could capture new changes for an attribute in one index after already hitting the end of another index. This created the possibility for changes to be missed when processing get-changelog-batch-requests at the same time that live traffic is happening.
    • Fixed in: 3.6.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-7422
  • Fix a bug that allows users with expired passwords to change attributes in their own entry other than password.
    • Fixed in: 3.5.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-6054
  • Address an issue where a directory server might resend duplicate changes when processing a GetChangelogBatch request in an environment that is under heavy load.
    • Fixed in: 3.5.0.0
    • Introduced in: 3.2.0.0
    • Support identifiers: DS-5656
  • Update PingDirectory Server to apply access controls when processing the GetAuthorizationEntryRequestControl.
    • Fixed in: 3.5.0.0
    • Introduced in: 2.0.0.0
    • Support identifiers: DS-854
  • Fix a bug where PingDirectory Servers could potentially miss some update messages in large topologies after a restart.
    • Fixed in: 3.2.0.0
    • Introduced in: 3.1.0.0
    • Support identifiers: DS-3592

Resolved Issues

The following issues have been resolved with this release of PingDirectory Server:

Ticket ID Description
DS-37955

To support multiple trace loggers, each trace logger now has its own resource key, which is shown in the "Resource" column in the output of "status". This key allows multiple alarms, due to sensitive message types for multiple trace loggers.

DS-39589

Fixed an issue that could cause access log messages for bind and StartTLS results to report the client connection policy that had previously been assigned to the connection rather than the new policy that is in place as a result of the operation.

DS-39799

Allows users who were migrated from the admin backend to the topology to manage the topology. Migrated users are granted the "manage-topology" privilege if they do not already have it.

DS-39882

Fixed an issue that could prevent the simple request criteria from properly evaluating a target entry filter or group membership for a modify DN operation after the change had already been applied to the backend.

DS-40154

Fixed an issue where the restore tool was not restoring all dependencies of an incremental backup.

DS-40263

Fixed an issue that could cause references to old servers to remain in config.ldif files after remove-defunct-server was run.

DS-40321

Fix verify-index to correctly validate substring indexes containing multi-byte UTF-8 characters.

DS-40366

Fixed an issue where the server was attempting to connect by an IP address rather than a hostname when DNS lookup was successful.

DS-40561

Fixed an issue that prevented assured replication from working for requests received via SCIM or the REST API.

DS-40681

Added a cache for password policies stored in user data rather than in the configuration. The cache will hold up to 500 policies by default, but the cache size can be configured (or the cache disabled) using the maximum-user-data-password-policies-to-cache property in the global configuration.

DS-40771

Added a --duration argument to collect-support-data. When used, only the log files covering the specified duration before the current time will be collected.

DS-40951

Improved import-ldif indexing performance.

DS-41054

Fixed an issue that stopped new extensions from being installed.

DS-41206

Fixed a memory leak when performing SCIM queries on the Directory Server.