Rapid7 Vulnerability & Exploit Database

RHSA-2015:0416: 389-ds-base security, bug fix, and enhancement update

Back to Search

RHSA-2015:0416: 389-ds-base security, bug fix, and enhancement update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
03/05/2015
Created
07/25/2018
Added
03/09/2015
Modified
07/04/2017

Description

The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords.(CVE-2014-8105)It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information. (CVE-2014-8112)The CVE-2014-8105 issue was discovered by Petr Špaček of the Red Hat Identity Management Engineering Team, and the CVE-2014-8112 issue was discovered by Ludwig Krispenz of the Red Hat Identity Management Engineering Team.Enhancements:

Solution(s)

  • redhat-upgrade-389-ds-base
  • redhat-upgrade-389-ds-base-debuginfo
  • redhat-upgrade-389-ds-base-devel
  • redhat-upgrade-389-ds-base-libs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;