ID CVE-2008-2952
Summary liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
References
Vulnerable Configurations
  • cpe:2.3:a:openldap:openldap:2.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.12:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.12:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.13:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.13:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.14:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.14:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.15:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.15:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.16:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.16:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.17:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.17:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.18:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.18:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.19:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.19:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.20:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.20:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.21:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.21:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.22:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.22:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.23:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.23:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.24:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.24:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.25:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.25:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.26:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.26:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.27:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.27:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.28:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.28:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.29:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.29:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.30:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.30:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.31:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.31:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.32:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.32:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.33:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.33:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.34:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.34:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.35:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.35:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.36:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.36:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.37:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.37:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.38:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.38:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.39:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.39:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.40:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.40:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.41:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.41:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.42:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.42:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.3.43:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.3.43:*:*:*:*:*:*:*
  • cpe:2.3:a:openldap:openldap:2.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:openldap:openldap:2.4.10:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 11-10-2018 - 20:45)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
oval via4
accepted 2013-04-29T04:07:32.516-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
family unix
id oval:org.mitre.oval:def:10662
status accepted
submitted 2010-07-09T03:56:16-04:00
title liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
version 24
redhat via4
advisories
bugzilla
id 453444
title CVE-2008-2952 OpenLDAP denial-of-service flaw in ASN.1 decoder
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment compat-openldap is earlier than 0:2.1.30-8.el4_6.5
          oval oval:com.redhat.rhsa:tst:20080583008
        • comment compat-openldap is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070310013
      • AND
        • comment openldap is earlier than 0:2.2.13-8.el4_6.5
          oval oval:com.redhat.rhsa:tst:20080583002
        • comment openldap is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070310003
      • AND
        • comment openldap-clients is earlier than 0:2.2.13-8.el4_6.5
          oval oval:com.redhat.rhsa:tst:20080583010
        • comment openldap-clients is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070310007
      • AND
        • comment openldap-devel is earlier than 0:2.2.13-8.el4_6.5
          oval oval:com.redhat.rhsa:tst:20080583004
        • comment openldap-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070310009
      • AND
        • comment openldap-servers is earlier than 0:2.2.13-8.el4_6.5
          oval oval:com.redhat.rhsa:tst:20080583012
        • comment openldap-servers is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070310005
      • AND
        • comment openldap-servers-sql is earlier than 0:2.2.13-8.el4_6.5
          oval oval:com.redhat.rhsa:tst:20080583006
        • comment openldap-servers-sql is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070310011
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment compat-openldap is earlier than 0:2.3.27_2.2.29-8.el5_2.4
          oval oval:com.redhat.rhsa:tst:20080583021
        • comment compat-openldap is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037011
      • AND
        • comment openldap is earlier than 0:2.3.27-8.el5_2.4
          oval oval:com.redhat.rhsa:tst:20080583015
        • comment openldap is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037003
      • AND
        • comment openldap-clients is earlier than 0:2.3.27-8.el5_2.4
          oval oval:com.redhat.rhsa:tst:20080583023
        • comment openldap-clients is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037005
      • AND
        • comment openldap-devel is earlier than 0:2.3.27-8.el5_2.4
          oval oval:com.redhat.rhsa:tst:20080583019
        • comment openldap-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037009
      • AND
        • comment openldap-servers is earlier than 0:2.3.27-8.el5_2.4
          oval oval:com.redhat.rhsa:tst:20080583025
        • comment openldap-servers is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037007
      • AND
        • comment openldap-servers-sql is earlier than 0:2.3.27-8.el5_2.4
          oval oval:com.redhat.rhsa:tst:20080583017
        • comment openldap-servers-sql is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20071037013
rhsa
id RHSA-2008:0583
released 2008-07-09
severity Important
title RHSA-2008:0583: openldap security update (Important)
rpms
  • compat-openldap-0:2.1.30-8.el4_6.5
  • openldap-0:2.2.13-8.el4_6.5
  • openldap-clients-0:2.2.13-8.el4_6.5
  • openldap-devel-0:2.2.13-8.el4_6.5
  • openldap-servers-0:2.2.13-8.el4_6.5
  • openldap-servers-sql-0:2.2.13-8.el4_6.5
  • compat-openldap-0:2.3.27_2.2.29-8.el5_2.4
  • openldap-0:2.3.27-8.el5_2.4
  • openldap-clients-0:2.3.27-8.el5_2.4
  • openldap-devel-0:2.3.27-8.el5_2.4
  • openldap-servers-0:2.3.27-8.el5_2.4
  • openldap-servers-sql-0:2.3.27-8.el5_2.4
refmap via4
apple APPLE-SA-2008-07-31
bid 30013
bugtraq 20080811 rPSA-2008-0249-1 openldap openldap-clients openldap-servers
confirm
debian DSA-1650
fedora
  • FEDORA-2008-6029
  • FEDORA-2008-6062
gentoo GLSA-200808-09
mandriva MDVSA-2008:144
misc http://www.zerodayinitiative.com/advisories/ZDI-08-052/
mlist
  • [oss-security 20080701 Re: [oss-security] openldap DoS
  • [oss-security] 20080713 Re: openldap DoS
sectrack 1020405
secunia
  • 30853
  • 30917
  • 30996
  • 31326
  • 31364
  • 31436
  • 32254
  • 32316
suse SUSE-SR:2008:021
ubuntu USN-634-1
vupen
  • ADV-2008-1978
  • ADV-2008-2268
xf openldap-bergetnext-dos(43515)
Last major update 11-10-2018 - 20:45
Published 01-07-2008 - 21:41
Back to Top