Executive Summary
Summary | |
---|---|
Title | openldap security update |
Informations | |||
---|---|---|---|
Name | RHSA-2008:0110 | First vendor Publication | 2008-02-21 |
Vendor | RedHat | Last vendor Modification | 2008-02-21 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 4 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated openldap packages that fix security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services. These updated openldap packages fix a flaw in the way the OpenLDAP slapd daemon handled modify and modrdn requests with NOOP control on objects stored in a Berkeley DB (BDB) storage backend. An authenticated attacker with permission to perform modify or modrdn operations on such LDAP objects could cause slapd to crash. (CVE-2007-6698, CVE-2008-0658) Users of openldap should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bugs fixed (http://bugzilla.redhat.com/): 431203 - CVE-2007-6698 openldap: slapd crash on NOOP control operation on entry in bdb storage 432008 - CVE-2008-0658 openldap: slapd crash on modrdn operation with NOOP control on entry in bdb storage |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2008-0110.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10748 | |||
Oval ID: | oval:org.mitre.oval:def:10748 | ||
Title: | The BDB backend for slapd in OpenLDAP before 2.3.36 allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability. | ||
Description: | The BDB backend for slapd in OpenLDAP before 2.3.36 allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-6698 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17747 | |||
Oval ID: | oval:org.mitre.oval:def:17747 | ||
Title: | USN-584-1 -- openldap2.2, openldap2.3 vulnerabilities | ||
Description: | Jonathan Clarke discovered that the OpenLDAP slapd server did not properly handle modify requests when using the Berkeley DB backend and the NOOP control was used. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-584-1 CVE-2007-6698 CVE-2008-0658 | Version: | 7 |
Platform(s): | Ubuntu 6.06 Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 | Product(s): | openldap2.2 openldap2.3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18413 | |||
Oval ID: | oval:org.mitre.oval:def:18413 | ||
Title: | DSA-1541-1 openldap2.3 | ||
Description: | Several remote vulnerabilities have been discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1541-1 CVE-2007-5707 CVE-2007-5708 CVE-2007-6698 CVE-2008-0658 | Version: | 7 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | openldap2.3 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22636 | |||
Oval ID: | oval:org.mitre.oval:def:22636 | ||
Title: | ELSA-2008:0110: openldap security update (Moderate) | ||
Description: | slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 allows remote authenticated users to cause a denial of service (daemon crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related issue to CVE-2007-6698. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2008:0110-01 CVE-2007-6698 CVE-2008-0658 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | openldap |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9470 | |||
Oval ID: | oval:org.mitre.oval:def:9470 | ||
Title: | slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 allows remote authenticated users to cause a denial of service (daemon crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related issue to CVE-2007-6698. | ||
Description: | slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 allows remote authenticated users to cause a denial of service (daemon crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related issue to CVE-2007-6698. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-0658 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2008-02-13 | OpenLDAP 2.3.39 MODRDN Remote Denial of Service Vulnerability |
OpenVAS Exploits
Date | Description |
---|---|
2010-05-12 | Name : Mac OS X 10.6.2 Update / Mac OS X Security Update 2009-006 File : nvt/macosx_upd_10_6_2_secupd_2009-006.nasl |
2009-10-10 | Name : SLES9: Security update for OpenLDAP 2 File : nvt/sles9p5023640.nasl |
2009-04-09 | Name : Mandriva Update for openldap MDVSA-2008:058 (openldap) File : nvt/gb_mandriva_MDVSA_2008_058.nasl |
2009-03-23 | Name : Ubuntu Update for openldap2.2, openldap2.3 vulnerabilities USN-584-1 File : nvt/gb_ubuntu_USN_584_1.nasl |
2009-03-06 | Name : RedHat Update for openldap RHSA-2008:0110-01 File : nvt/gb_RHSA-2008_0110-01_openldap.nasl |
2009-02-27 | Name : CentOS Update for compat-openldap CESA-2008:0110 centos4 i386 File : nvt/gb_CESA-2008_0110_compat-openldap_centos4_i386.nasl |
2009-02-27 | Name : CentOS Update for compat-openldap CESA-2008:0110 centos4 x86_64 File : nvt/gb_CESA-2008_0110_compat-openldap_centos4_x86_64.nasl |
2009-02-27 | Name : CentOS Update for compat-openldap CESA-2008:0110 centos5 i386 File : nvt/gb_CESA-2008_0110_compat-openldap_centos5_i386.nasl |
2009-02-27 | Name : CentOS Update for compat-openldap CESA-2008:0110 centos5 x86_64 File : nvt/gb_CESA-2008_0110_compat-openldap_centos5_x86_64.nasl |
2009-02-17 | Name : Fedora Update for openldap FEDORA-2008-6029 File : nvt/gb_fedora_2008_6029_openldap_fc8.nasl |
2009-02-16 | Name : Fedora Update for openldap FEDORA-2008-1307 File : nvt/gb_fedora_2008_1307_openldap_fc7.nasl |
2009-02-16 | Name : Fedora Update for openldap FEDORA-2008-1568 File : nvt/gb_fedora_2008_1568_openldap_fc8.nasl |
2009-02-16 | Name : Fedora Update for openldap FEDORA-2008-1616 File : nvt/gb_fedora_2008_1616_openldap_fc7.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-28 (openldap) File : nvt/glsa_200803_28.nasl |
2008-09-04 | Name : FreeBSD Ports: openldap-server File : nvt/freebsd_openldap-server1.nasl |
2008-04-21 | Name : Debian Security Advisory DSA 1541-1 (openldap2.3) File : nvt/deb_1541_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
43306 | OpenLDAP slapd BDB Backend Crafted Modify Operation Remote DoS OpenLDAP contains a flaw that may allow a remote denial of service. The issue is triggered when trying a modify operation with the NOOP control set to critical on an entry stored in a BDB back-end, and will result in loss of availability for the service. |
41948 | OpenLDAP slapd BDB Backend modrdn.c modrdn Operation NOOP Control Remote DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2008-0110.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20080221_openldap_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2009-11-09 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2009-006.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12075.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-058.nasl - Type : ACT_GATHER_INFO |
2008-04-28 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_openldap2-4989.nasl - Type : ACT_GATHER_INFO |
2008-04-28 | Name : The remote openSUSE host is missing a security update. File : suse_openldap2-4999.nasl - Type : ACT_GATHER_INFO |
2008-04-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1541.nasl - Type : ACT_GATHER_INFO |
2008-03-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-28.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-584-1.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2008-0110.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e5d29309e0db11dc97b2001c2514716c.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0110.nasl - Type : ACT_GATHER_INFO |
2008-02-14 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1568.nasl - Type : ACT_GATHER_INFO |
2008-02-14 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1616.nasl - Type : ACT_GATHER_INFO |
2008-02-11 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1307.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:51:25 |
|