As reported by the BSI, a vulnerability has been found in OpenLDAP. You can read here on news.de which operating systems and products are affected by the vulnerability.
The Federal Office for Security in der Informationstechnik (BSI) published an update on May 5th, 2023 to a vulnerability for OpenLDAP that became known on January 27th, 2021. The operating systems UNIX, Linux, MacOS X and Windows as well as the products Debian Linux, Amazon Linux 2, Ubuntu Linux, SUSE Linux, Open Source OpenLDAP and Hitachi Energy RTU500 are affected by the vulnerability.
The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: Amazon Linux Security Advisory ALAS-2023-1741 (Status: 04.05.2023). Other useful sources are listed later in this article.
Security Advice for OpenLDAP – Risk: medium
Risk level: 3 (medium)
CVSS Base Score: 7,5
CVSS Temporal Score: 6,5
Remoteangriff: Ja
The Common Vulnerability Scoring System (CVSS) is used to assess the vulnerability of computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various criteria in order to better prioritize countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. With the temporal score, framework conditions that change over time are included in the evaluation. The severity of the vulnerability discussed here is rated as “medium” according to the CVSS with a base score of 7.5.
OpenLDAP Bug: Several vulnerabilities allow Denial of Service
OpenLDAP is a freely available implementation of the LDAP directory service.
An unknown attacker can exploit several vulnerabilities in OpenLDAP to perform a Denial of Service attack.
The vulnerability is identified with the individual CVE serial numbers (Common Vulnerabilities and Exposures) CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229 und CVE-2020-36230 traded.
Systems affected by the OpenLDAP vulnerability at a glance
operating systems
UNIX, Linux, MacOS X, Windows
Products
Debian Linux (cpe:/o:debian:debian_linux)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Ubuntu Linux (cpe:/o:canonical:ubuntu_linux)
SUSE Linux (cpe:/o:suse:suse_linux)
Open Source OpenLDAP < 2.4.57 (cpe:/a:openldap:openldap)
Hitachi Energy RTU500 < 12.4.11 (cpe:/h:abb:rtu500)
Hitachi Energy RTU500 < 12.6.7 (cpe:/h:abb:rtu500)
Hitachi Energy RTU500 < 12.7.2 (cpe:/h:abb:rtu500)
Hitachi Energy RTU500 < 13.2.3 (cpe:/h:abb:rtu500)
General measures for dealing with IT security gaps
- Users of the affected applications should keep them up to date. When security vulnerabilities become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If new security updates are available, install them promptly.
- For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.
- If you have any further questions or are uncertain, please contact your responsible administrator. IT security officers should regularly check when the IT security warning affected manufacturers makes a new security update available.
Manufacturer information on updates, patches and workarounds
Here you will find further links with information about bug reports, security fixes and workarounds.
Amazon Linux Security Advisory ALAS-2023-1741 vom 2023-05-04 (05.05.2023)
For more information, see: https://alas.aws.amazon.com/ALAS-2023-1741.html
Amazon Linux Security Advisory ALAS-2023-2033 vom 2023-05-03 (03.05.2023)
For more information, see: https://alas.aws.amazon.com/AL2/ALAS-2023-2033.html
Hitachi Cybersecurity Advisory (08.12.2021)
For more information, see: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000066&LanguageCode=en&DocumentPartId=&Action=Launch
Hitachi Cybersecurity Advisory (08.12.2021)
For more information, see: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000066&LanguageCode=en&DocumentPartId=&Action=Launch
Amazon Linux Security Advisory ALAS-2021-1707 vom 2021-09-15 (16.09.2021)
For more information, see: https://alas.aws.amazon.com/AL2/ALAS-2021-1707.html
SUSE Security Update SUSE-SU-2021:14700-1 vom 2021-04-16 (19.04.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-April/008644.html
SUSE Security Update SUSE-SU-2021:0692-1 vom 2021-03-03 (04.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008431.html
SUSE Security Update SUSE-SU-2021:0693-1 vom 2021-03-03 (04.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008428.html
Ubuntu Security Notice USN-4724-1 vom 2021-02-08 (09.02.2021)
For more information, see: https://ubuntu.com/security/notices/USN-4724-1
Ubuntu Security Notice USN-4724-1 vom 2021-02-08 (09.02.2021)
For more information, see: https://usn.ubuntu.com/4724-1
Debian Security Advisory DLA-2544 vom 2021-02-03 (04.02.2021)
For more information, see: https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html
Debian Security Advisory DSA-4845 vom 2021-02-03 (04.02.2021)
For more information, see: https://www.debian.org/security/2021/dsa-4845
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36230
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36229
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36228
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36227
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36226
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36225
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36224
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36223
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36222
NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36221
Version history of this security alert
This is the 9th version of this IT security notice for OpenLDAP. If further updates are announced, this text will be updated. You can understand the changes made using the following version history.
01/27/2021 – Initial version
2021-02-04 – Added new updates from Debian
02/09/2021 – Added new updates of Ubuntu
03/04/2021 – Added new updates from SUSE
04/19/2021 – Added new updates from SUSE
09/16/2021 – Added new updates from Amazon
12/08/2021 – Added new updates
05/03/2023 – Added new updates from Amazon
05/05/2023 – Added new updates from Amazon
+++ Editorial note: This text was created with the help of AI on the basis of current BSI data. We accept feedback and comments at zettel@news.de. +++
follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find the latest news, the latest videos and the direct line to the editors.
roj/news.de