CVE-2019-3883

EUVD-2019-13493

17.04.2019, 14:29

In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
redhat	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Affected Products (NVD)

Vendor	Product	Version
fedoraproject	389_directory_server	𝑥 ≤ 1.4.1.2
debian	debian_linux	8.0
redhat	enterprise_linux	6.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

389-ds-base

bookworm	2.3.1+dfsg1-1 fixed
bullseye	1.4.4.11-2 fixed
sid	3.1.1+dfsg1-2 fixed
stretch	no-dsa
trixie	3.1.1+dfsg1-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

389-ds-base

bionic	needed
cosmic	ignored
disco	ignored
eoan	not-affected
focal	not-affected
groovy	not-affected
hirsute	not-affected
impish	not-affected
jammy	not-affected
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
trusty	dne
xenial	needed

Common Weakness Enumeration

CWE-772 - Missing Release of Resource after Effective Lifetime
The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

References

https://access.redhat.com/errata/RHSA-2019:1896

https://access.redhat.com/errata/RHSA-2019:3401

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3883

https://lists.debian.org/debian-lts-announce/2019/05/msg00008.html

https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html

https://pagure.io/389-ds-base/issue/50329