Amazon Linux AMI update for 389-ds-base
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2018-10871 CVE-2019-10224 CVE-2019-14824 CVE-2019-3883 |
| CWE-ID | CWE-312 CWE-200 CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU23004
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-10871
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists when the Replica and/or retroChangeLog plugins are enabled. A local user can gain access to sensitive information stored in the log files in plain text.
Update the affected packages:
i686:Vulnerable software versions
389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
389-ds-base-1.3.9.1-12.65.amzn1.i686
389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686
src:
389-ds-base-1.3.9.1-12.65.amzn1.src
x86_64:
389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1334.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU23001
Risk: Low
CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10224
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists within the dscreate and dsconf commands in 389-ds-base due to excessive data output, when executed in verbose mode. A local user can gain access to sensitive information, such as the Directory Manager password.
Successful exploitation of the vulnerability requires that the attacker can see the screen or record terminal session.
Update the affected packages:
i686:Vulnerable software versions
389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
389-ds-base-1.3.9.1-12.65.amzn1.i686
389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686
src:
389-ds-base-1.3.9.1-12.65.amzn1.src
x86_64:
389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1334.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU23002
Risk: Low
CVSSv3.1: 3.1 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-14824
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to incorrect permissions in the 'deref' plugin in 389-ds-base when displaying attribute values during search. A remote user in local network can gain access to private attributes, such as password hashes.
Update the affected packages:
i686:Vulnerable software versions
389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
389-ds-base-1.3.9.1-12.65.amzn1.i686
389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686
src:
389-ds-base-1.3.9.1-12.65.amzn1.src
x86_64:
389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1334.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource management error
EUVDB-ID: #VU20063
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-3883
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect processing of tome outs for SSL/TLS connections. A remote authenticated user initiate a large number of SSL/TLS connections and consume all available workers, which will lead to a denial of service attack.
Mitigation
Update the affected packages:
i686:Vulnerable software versions
389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
389-ds-base-1.3.9.1-12.65.amzn1.i686
389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686
src:
389-ds-base-1.3.9.1-12.65.amzn1.src
x86_64:
389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2020-1334.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
