5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.024 Low
EPSS
Percentile
90.0%
Multiple versions of OpenLDAP contain vulnerabilities that may allow denial-of-service attacks. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, the CERT/CC encourages you to follow the advice provided below.
There are multiple vulnerabilities in the OpenLDAP implementations of the LDAP protocol. These vulnerabilities exist in the code that translates network datagrams into application-specific information.
In the encoding section of the test suite, this product failed the group that tests the handling of invalid BER length of length fields.
In the application section of the test suite, this product passed all 6685 test cases.
These vulnerabilities allow a remote attacker to crash affected OpenLDAP servers, resulting in a denial-of-service condition.
Apply a patch from your vendor
Please consult the Systems Affected section for vendor-specific information on addressing this vulnerability.
Block access to directory services at network perimeter
As a temporary measure, it is possible to limit the scope of these vulnerabilities by blocking access to directory services at the network perimeter. Please note that this workaround does not protect vulnerable products from internal attacks.
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp # Lightweight Directory Access Protocol
ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
935800
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: November 01, 2001
Affected
Conectiva has announced the release of updated OpenLDAP packages to address this vulnerability. For more information, please visit
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000417
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23935800 Feedback>).
Notified: August 09, 2001 Updated: December 12, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Debian has published Debian Security Advisory DSA-068-1 to address this vulnerability. For more information, please see
http://www.debian.org/security/2001/dsa-068
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23935800 Feedback>).
Notified: August 13, 2001 Updated: December 12, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
MandrakeSoft has published MandrakeSoft Security Advisory MDKSA-2001:069 to address this vulnerability. For more information, please see
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2001:069
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23935800 Feedback>).
Notified: May 03, 2001 Updated: July 16, 2001
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
To address these vulnerabilities, the OpenLDAP Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC recommends that users of OpenLDAP contact their software vendor or obtain the latest version, available at
http://www.openLDAP.org/software/download/
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23935800 Feedback>).
Updated: November 01, 2001
Affected
Red Hat has announced the release of updated OpenLDAP packages to address this vulnerability. For more information, please visit
http://www.redhat.com/support/errata/RHSA-2001-098.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23935800 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for their detailed technical analyses, and for their assistance in preparing this document. We would also like to thank the OpenLDAP Core Team for their assistance in preparing this document.
This document was written by Jeffrey P. Lanza.
CVE IDs: | CVE-2001-0977 |
---|---|
CERT Advisory: | CA-2001-18 Severity Metric: |