SB2018092512 - Red Hat update for 389-ds-base

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2018-10850)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to a race condition in the way 389-ds-base handles persistent search. A remote attacker can send a specially crafted request that submits malicious input and cause the system to crash.

2) Improper input validation (CVE-ID: CVE-2018-10935)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists due to improper processing of Lightweight Directory Access Protocol (LDAP) queries. A remote attacker can send execute the ldapsearch command with server-side sorting controls and cause the LDAP server to crash, resulting in a DoS condition.

3) Improper input validation (CVE-ID: CVE-2018-14624)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to incorrect use of the lock controlling error log when re-opening the log file in log__error_emergency(. A remote attacker can send a flood of modifications to a very large DN and cause the slapd to crash.

4) Denial of service (CVE-ID: CVE-2018-14638)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to unspecified flaw. A remote attacker can terminate persistent search connections and cause the process ns-slapd to crash in delete_passwdPolicy function.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2018:2757