Denial of Service Vulnerability in 389-ds-base by Red Hat
CVE-2019-3883

5.3MEDIUM

Key Information:

Vendor
Red Hat
Status
389-ds-base
Vendor
CVE Published:
17 April 2019

Summary

In 389-ds-base prior to version 1.4.1.2, a Denial of Service vulnerability exists due to improper handling of requests. Worker threads wait for a specific timeout for unencrypted requests, while SSL/TLS connections are not subjected to this timeout, allowing attackers to create malicious LDAP requests. These requests can hang indefinitely, effectively consuming all worker threads and preventing legitimate requests from being processed, leading to disruption of services.

Affected Version(s)

389-ds-base affects up to 1.4.1.2

References

https://lists.debian.org/debian-lts-announce/2019/05/msg0...
mailing-list
https://access.redhat.com/errata/RHSA-2019:1896
vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3401
vendor-advisory

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.