Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
EUVDB-ID: #VU50389
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36221
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow within the serialNumberAndIssuerCheck() function in schema_init.c. A remote attacker can send a specially crafted request to the affected application, trigger an integer underflow and crash the slapd.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50390
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36222
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in slapd in the saslAuthzTo validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50391
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36223
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error during the Values Return Filter control handling. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50398
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36224
CWE-ID:
CWE-763 - Release of invalid pointer or reference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to release of an invalid pointer when processing saslAuthzTo requests. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50392
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36225
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the saslAuthzTo processing. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50393
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36226
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application leading to a memch->bv_len miscalculation during saslAuthzTo processing. A remote attacker can send specially crafted request to the slapd and perform a denial of service (DoS) attack.
MitigationUpdate the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50394
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36227
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in slapd with the cancel_extop Cancel operation. A remote attacker can send a specially crafted request and perform a denial of service conditions.
MitigationUpdate the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50395
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36228
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow when processing the certificate list exact assertion. A remote attacker can send a specially crafted request to the slapd, trigger integer underflow and perform a denial of service (DoS) attack.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50396
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36229
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error in ldap_X509dn2bv when parsing X.509 DN in ad_keystring. A remote attacker can send a specially crafted request to slapd and crash it.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50397
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36230
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when parsing the X.509 DN within the ber_next_element() function in decode.c. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50779
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27212
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when processing LDAP packets within the issuerAndThisUpdateCheck() function in schema_init.c. A remote attacker can send a specially crafted packet with a short timestamp to the slapd and perform a denial of service (DoS) attack.
Update the affected package openldap2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP3
SUSE Linux Enterprise Module for Legacy Software: 15-SP2 - 15-SP3
SUSE Manager Proxy: 4.0
SUSE Manager Retail Branch Server: 4.0
SUSE Manager Server: 4.0
SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-SP1-LTSS
SUSE Enterprise Storage: 6
SUSE CaaS Platform: 4.0
SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS
SUSE Linux Enterprise Module for Development Tools: 15-SP2 - 15-SP3
SUSE Linux Enterprise Module for Basesystem: 15-SP2 - 15-SP3
openldap2-devel-32bit: before 2.4.46-9.48.1
libldap-2_4-2-32bit-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2-32bit: before 2.4.46-9.48.1
libldap-data: before 2.4.46-9.48.1
openldap2-ppolicy-check-password-debuginfo: before 1.2-9.48.1
openldap2-ppolicy-check-password: before 1.2-9.48.1
openldap2-devel-static: before 2.4.46-9.48.1
openldap2-devel: before 2.4.46-9.48.1
openldap2-debugsource: before 2.4.46-9.48.1
openldap2-debuginfo: before 2.4.46-9.48.1
openldap2-client-debuginfo: before 2.4.46-9.48.1
openldap2-client: before 2.4.46-9.48.1
openldap2-back-perl-debuginfo: before 2.4.46-9.48.1
openldap2-back-perl: before 2.4.46-9.48.1
openldap2-back-meta-debuginfo: before 2.4.46-9.48.1
openldap2-back-meta: before 2.4.46-9.48.1
openldap2: before 2.4.46-9.48.1
libldap-2_4-2-debuginfo: before 2.4.46-9.48.1
libldap-2_4-2: before 2.4.46-9.48.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210723-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.