One of our customers has reported a possible issue to us that leads to LDAP authentication bypass on our Access Server 2.8.0. We investigated this and were able to reproduce the problem. It has been discovered that when using an LDAP authentication system in combination with the Access Server version 2.8.0 (other versions are not affected) that there is a security flaw with the login process. Customers that are using two factor authentication, which many fortunately do, are still protected thanks to the extra security factor. Regardless, we recommend that people that are running Access Server 2.8.0 in combination with LDAP to upgrade to version 2.8.1 immediately.
Customers that are using Access Server without LDAP are not affected by this issue. Customers using a version of Access Server other than 2.8.0 are also not affected.
If you are running Access Server 2.8.0 and you use LDAP authentication, you should update to 2.8.1 as soon as possible. We released this version within hours after we were able to reproduce this problem. We are also submitting a CVE report for full transparency and to make people aware that they should update. The CVE we published for this is here: CVE-2020-9853.