Home » OpenLDAP: Several vulnerabilities allow Denial of Service

OpenLDAP: Several vulnerabilities allow Denial of Service

by admin
OpenLDAP: Several vulnerabilities allow Denial of Service

As reported by the BSI, a vulnerability has been found in OpenLDAP. You can read here on news.de which operating systems and products are affected by the vulnerability.

The Federal Office for Security in der Informationstechnik (BSI) published an update on May 5th, 2023 to a vulnerability for OpenLDAP that became known on January 27th, 2021. The operating systems UNIX, Linux, MacOS X and Windows as well as the products Debian Linux, Amazon Linux 2, Ubuntu Linux, SUSE Linux, Open Source OpenLDAP and Hitachi Energy RTU500 are affected by the vulnerability.

The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: Amazon Linux Security Advisory ALAS-2023-1741 (Status: 04.05.2023). Other useful sources are listed later in this article.

Security Advice for OpenLDAP – Risk: medium

Risk level: 3 (medium)
CVSS Base Score: 7,5
CVSS Temporal Score: 6,5
Remoteangriff: Ja

The Common Vulnerability Scoring System (CVSS) is used to assess the vulnerability of computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various criteria in order to better prioritize countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. With the temporal score, framework conditions that change over time are included in the evaluation. The severity of the vulnerability discussed here is rated as “medium” according to the CVSS with a base score of 7.5.

See also  In 2023, artificial intelligence has given a boost to misinformation

OpenLDAP Bug: Several vulnerabilities allow Denial of Service

OpenLDAP is a freely available implementation of the LDAP directory service.

An unknown attacker can exploit several vulnerabilities in OpenLDAP to perform a Denial of Service attack.

The vulnerability is identified with the individual CVE serial numbers (Common Vulnerabilities and Exposures) CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229 und CVE-2020-36230 traded.

Systems affected by the OpenLDAP vulnerability at a glance

operating systems
UNIX, Linux, MacOS X, Windows

Products
Debian Linux (cpe:/o:debian:debian_linux)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Ubuntu Linux (cpe:/o:canonical:ubuntu_linux)
SUSE Linux (cpe:/o:suse:suse_linux)
Open Source OpenLDAP < 2.4.57 (cpe:/a:openldap:openldap)
Hitachi Energy RTU500 < 12.4.11 (cpe:/h:abb:rtu500)
Hitachi Energy RTU500 < 12.6.7 (cpe:/h:abb:rtu500)
Hitachi Energy RTU500 < 12.7.2 (cpe:/h:abb:rtu500)
Hitachi Energy RTU500 < 13.2.3 (cpe:/h:abb:rtu500)

General measures for dealing with IT security gaps

  1. Users of the affected applications should keep them up to date. When security vulnerabilities become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If new security updates are available, install them promptly.
  2. For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.
  3. If you have any further questions or are uncertain, please contact your responsible administrator. IT security officers should regularly check when the IT security warning affected manufacturers makes a new security update available.

Manufacturer information on updates, patches and workarounds

Here you will find further links with information about bug reports, security fixes and workarounds.

Amazon Linux Security Advisory ALAS-2023-1741 vom 2023-05-04 (05.05.2023)
For more information, see: https://alas.aws.amazon.com/ALAS-2023-1741.html

See also  Vivo V30 Pro smartphone: Aura Light as a special eye-catcher!

Amazon Linux Security Advisory ALAS-2023-2033 vom 2023-05-03 (03.05.2023)
For more information, see: https://alas.aws.amazon.com/AL2/ALAS-2023-2033.html

Hitachi Cybersecurity Advisory (08.12.2021)
For more information, see: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000066&LanguageCode=en&DocumentPartId=&Action=Launch

Hitachi Cybersecurity Advisory (08.12.2021)
For more information, see: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000066&LanguageCode=en&DocumentPartId=&Action=Launch

Amazon Linux Security Advisory ALAS-2021-1707 vom 2021-09-15 (16.09.2021)
For more information, see: https://alas.aws.amazon.com/AL2/ALAS-2021-1707.html

SUSE Security Update SUSE-SU-2021:14700-1 vom 2021-04-16 (19.04.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-April/008644.html

SUSE Security Update SUSE-SU-2021:0692-1 vom 2021-03-03 (04.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008431.html

SUSE Security Update SUSE-SU-2021:0693-1 vom 2021-03-03 (04.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008428.html

Ubuntu Security Notice USN-4724-1 vom 2021-02-08 (09.02.2021)
For more information, see: https://ubuntu.com/security/notices/USN-4724-1

Ubuntu Security Notice USN-4724-1 vom 2021-02-08 (09.02.2021)
For more information, see: https://usn.ubuntu.com/4724-1

Debian Security Advisory DLA-2544 vom 2021-02-03 (04.02.2021)
For more information, see: https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html

Debian Security Advisory DSA-4845 vom 2021-02-03 (04.02.2021)
For more information, see: https://www.debian.org/security/2021/dsa-4845

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36230

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36229

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36228

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36227

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36226

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36225

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36224

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36223

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36222

NIST Database vom 2021-01-26 (27.01.2021)
For more information, see: https://nvd.nist.gov/vuln/detail/CVE-2020-36221

Version history of this security alert

This is the 9th version of this IT security notice for OpenLDAP. If further updates are announced, this text will be updated. You can understand the changes made using the following version history.

See also  QT compromised: Security Alert! Several IT vulnerabilities reported

01/27/2021 – Initial version
2021-02-04 – Added new updates from Debian
02/09/2021 – Added new updates of Ubuntu
03/04/2021 – Added new updates from SUSE
04/19/2021 – Added new updates from SUSE
09/16/2021 – Added new updates from Amazon
12/08/2021 – Added new updates
05/03/2023 – Added new updates from Amazon
05/05/2023 – Added new updates from Amazon

+++ Editorial note: This text was created with the help of AI on the basis of current BSI data. We accept feedback and comments at [email protected]. +++

follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find the latest news, the latest videos and the direct line to the editors.

roj/news.de

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy