CVE-2016-0741 - slapd/connection.c in 389 Directory Server (formerly Fedora Directory Server) 1.3.4.x before 1.3.4.7

CVE-2016-0741

Summary

slapd/connection.c in 389 Directory Server (formerly Fedora Directory Server) 1.3.4.x before 1.3.4.7 allows remote attackers to cause a denial of service (infinite loop and connection blocking) by leveraging an abnormally closed connection.

References

Vulnerable Configurations

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fedoraproject:389_directory_server:1.3.4.5:*:*:*:*:*:*:*

CVSS

Base:	7.8 (as of 12-10-2016 - 02:01)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:C

redhat via4

advisories

bugzilla

id	1299416
title	CVE-2016-0741 389-ds-base: worker threads do not detect abnormally closed connections causing DoS

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment 389-ds-base is earlier than 0:1.3.4.0-26.el7_2
oval oval:com.redhat.rhsa:tst:20160204001
comment 389-ds-base is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20151554002

AND

comment 389-ds-base-devel is earlier than 0:1.3.4.0-26.el7_2
oval oval:com.redhat.rhsa:tst:20160204003
comment 389-ds-base-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20151554004

AND

comment 389-ds-base-libs is earlier than 0:1.3.4.0-26.el7_2
oval oval:com.redhat.rhsa:tst:20160204005
comment 389-ds-base-libs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20151554006

rhsa

id	RHSA-2016:0204
released	2016-02-16
severity	Important
title	RHSA-2016:0204: 389-ds-base security and bug fix update (Important)

rpms

389-ds-base-0:1.3.4.0-26.el7_2
389-ds-base-debuginfo-0:1.3.4.0-26.el7_2
389-ds-base-devel-0:1.3.4.0-26.el7_2
389-ds-base-libs-0:1.3.4.0-26.el7_2

refmap via4

bid	82343
confirm	http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-4-7.html http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html https://fedorahosted.org/389/changeset/cd45d032421b0ecf76d8cbb9b1c3aeef7680d9a2/ https://fedorahosted.org/389/ticket/48412

Last major update

12-10-2016 - 02:01

Published

19-04-2016 - 21:59

Last modified

12-10-2016 - 02:01