The Samba team discovered a critical vulnerablity in the access control of Samba/AD domain controllers. Any authenticated user can change other users’ passwords over LDAP including the passwords of the administrators.
We strongly advise to install the updated Samba packages for all UCS versions currently supported (from UCS 4.1-5 and UCS 4.2-3) which we have distributed today via the usual errata update channels.
The new UCS 4.3-0 whose release is scheduled for March 14, will also be shipped with a Samba version that is patched against this issue.
More information on the security updates can be found in our forum.