National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-2952)

National Cyber Awareness System

Vulnerability Summary for CVE-2008-2952

Original release date:07/01/2008

Last revised:10/11/2011

Source: US-CERT/NIST

Overview

liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type:Allows disruption of serviceUnknown

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: FEDORA

Name: FEDORA-2008-6062

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00129.html

External Source: FEDORA

Name: FEDORA-2008-6029

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00109.html

External Source: CONFIRM

Name: https://issues.rpath.com/browse/RPL-2645

Hyperlink:https://issues.rpath.com/browse/RPL-2645

External Source: XF

Name: openldap-bergetnext-dos(43515)

Hyperlink:http://xforce.iss.net/xforce/xfdb/43515

External Source: MISC

Name: http://www.zerodayinitiative.com/advisories/ZDI-08-052/

Hyperlink:http://www.zerodayinitiative.com/advisories/ZDI-08-052/

External Source: VUPEN

Name: ADV-2008-2268

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2008/2268

External Source: VUPEN

Name: ADV-2008-1978

Type: Advisory

Hyperlink:http://www.vupen.com/english/advisories/2008/1978/references

External Source: UBUNTU

Name: USN-634-1

Hyperlink:http://www.ubuntu.com/usn/usn-634-1

External Source: SECTRACK

Name: 1020405

Hyperlink:http://www.securitytracker.com/id?1020405

External Source: BID

Name: 30013

Hyperlink:http://www.securityfocus.com/bid/30013

External Source: BUGTRAQ

Name: 20080811 rPSA-2008-0249-1 openldap openldap-clients openldap-servers

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/495320/100/0/threaded

External Source: REDHAT

Name: RHSA-2008:0583

Hyperlink:http://www.redhat.com/support/errata/RHSA-2008-0583.html

External Source: MLIST

Name: [oss-security] 20080713 Re: openldap DoS

Hyperlink:http://www.openwall.com/lists/oss-security/2008/07/13/2

External Source: MLIST

Name: [oss-security 20080701 Re: [oss-security] openldap DoS

Hyperlink:http://www.openwall.com/lists/oss-security/2008/07/01/2

External Source: CONFIRM

Name: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

Hyperlink:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

External Source: CONFIRM

Name: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580

Hyperlink:http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580

External Source: MANDRIVA

Name: MDVSA-2008:144

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2008:144

External Source: DEBIAN

Name: DSA-1650

Hyperlink:http://www.debian.org/security/2008/dsa-1650

External Source: CONFIRM

Name: http://wiki.rpath.com/Advisories:rPSA-2008-0249

Hyperlink:http://wiki.rpath.com/Advisories:rPSA-2008-0249

External Source: GENTOO

Name: GLSA-200808-09

Hyperlink:http://security.gentoo.org/glsa/glsa-200808-09.xml

External Source: SECUNIA

Name: 32316

Type: Advisory

Hyperlink:http://secunia.com/advisories/32316

External Source: SECUNIA

Name: 32254

Type: Advisory

Hyperlink:http://secunia.com/advisories/32254

External Source: SECUNIA

Name: 31436

Type: Advisory

Hyperlink:http://secunia.com/advisories/31436

External Source: SECUNIA

Name: 31364

Type: Advisory

Hyperlink:http://secunia.com/advisories/31364

External Source: SECUNIA

Name: 31326

Type: Advisory

Hyperlink:http://secunia.com/advisories/31326

External Source: SECUNIA

Name: 30996

Type: Advisory

Hyperlink:http://secunia.com/advisories/30996

External Source: SECUNIA

Name: 30917

Type: Advisory

Hyperlink:http://secunia.com/advisories/30917

External Source: SECUNIA

Name: 30853

Type: Advisory

Hyperlink:http://secunia.com/advisories/30853

External Source: OVAL

Name: oval:org.mitre.oval:def:10662

Hyperlink:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10662

External Source: SUSE

Name: SUSE-SR:2008:021

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.html

External Source: APPLE

Name: APPLE-SA-2008-07-31

Hyperlink:http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html

References to Check Content

Identifier:oval:org.mitre.oval:def:10662

Check System:http://oval.mitre.org/XMLSchema/oval-definitions-5

Hyperlink:http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10662

Vulnerable software and versions

Configuration 1

* cpe:/a:openldap:openldap:2.2.4

* cpe:/a:openldap:openldap:2.2.5

* cpe:/a:openldap:openldap:2.2.6

* cpe:/a:openldap:openldap:2.2.7

* cpe:/a:openldap:openldap:2.2.8

* cpe:/a:openldap:openldap:2.2.9

* cpe:/a:openldap:openldap:2.3.10

* cpe:/a:openldap:openldap:2.3.11

* cpe:/a:openldap:openldap:2.3.12

* cpe:/a:openldap:openldap:2.3.13

* cpe:/a:openldap:openldap:2.3.14

* cpe:/a:openldap:openldap:2.3.15

* cpe:/a:openldap:openldap:2.3.16

* cpe:/a:openldap:openldap:2.3.17

* cpe:/a:openldap:openldap:2.3.18

* cpe:/a:openldap:openldap:2.3.19

* cpe:/a:openldap:openldap:2.3.20

* cpe:/a:openldap:openldap:2.3.21

* cpe:/a:openldap:openldap:2.3.22

* cpe:/a:openldap:openldap:2.3.23

* cpe:/a:openldap:openldap:2.3.24

* cpe:/a:openldap:openldap:2.3.25

* cpe:/a:openldap:openldap:2.3.26

* cpe:/a:openldap:openldap:2.3.27

* cpe:/a:openldap:openldap:2.3.28

* cpe:/a:openldap:openldap:2.3.29

* cpe:/a:openldap:openldap:2.3.30

* cpe:/a:openldap:openldap:2.3.31

* cpe:/a:openldap:openldap:2.3.32

* cpe:/a:openldap:openldap:2.3.33

* cpe:/a:openldap:openldap:2.3.34

* cpe:/a:openldap:openldap:2.3.35

* cpe:/a:openldap:openldap:2.3.36

* cpe:/a:openldap:openldap:2.3.37

* cpe:/a:openldap:openldap:2.3.38

* cpe:/a:openldap:openldap:2.3.39

* cpe:/a:openldap:openldap:2.3.4

* cpe:/a:openldap:openldap:2.3.40

* cpe:/a:openldap:openldap:2.3.41

* cpe:/a:openldap:openldap:2.3.42

* cpe:/a:openldap:openldap:2.3.43

* cpe:/a:openldap:openldap:2.3.5

* cpe:/a:openldap:openldap:2.3.6

* cpe:/a:openldap:openldap:2.3.7

* cpe:/a:openldap:openldap:2.3.8

* cpe:/a:openldap:openldap:2.3.9

* cpe:/a:openldap:openldap:2.4.10

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Resource Management Errors (CWE-399)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2952