Описание
An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
Отчет
This issue affects the versions of openldap-server as shipped with Red Hat Enterprise Linux (RHEL) 5, 6, 7. Starting in RHEL 8 the openldap-server is not delivered anymore, therefore RHEL 8 is not affected by this vulnerability. This vulnerability does not affect the RHEL openldap package, what contains configuration files, libraries, and documentation for OpenLDAP. Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Меры по смягчению последствий
This is only an issue in e.g. multi-tenant deployments that require isolation of databases. Do not give rootDN privileges to untrusted users.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | openldap | Out of support scope | ||
| Red Hat Enterprise Linux 6 | compat-openldap | Not affected | ||
| Red Hat Enterprise Linux 6 | openldap | Out of support scope | ||
| Red Hat Enterprise Linux 7 | compat-openldap | Not affected | ||
| Red Hat Enterprise Linux 7 | openldap | Will not fix | ||
| Red Hat Enterprise Linux 8 | openldap | Not affected | ||
| Red Hat JBoss Core Services | openldap | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 5 | openldap | Out of support scope | ||
| Red Hat JBoss Enterprise Web Server 2 | openldap | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
An issue was discovered in the server in OpenLDAP before 2.4.48. When ...
An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN (database admin) privileges for certain databases but wants to maintain isolation (e.g., for multi-tenant deployments), slapd does not properly stop a rootDN from requesting authorization as an identity from another database during a SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common configuration to deploy a system where the server administrator and a DB administrator enjoy different levels of trust.)
Уязвимость демона slapd пакета OpenLDAP, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
6.5 Medium
CVSS3