user/openldap: multiple vulnerabilities
| Bugzilla ID | 165 |
| Alias(es) | CVE-2019-13057, CVE-2019-13565 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-07-31 10:54:52 -0500 |
| Modified | 2019-08-04 19:18:42 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
Description
CVE-2019-13057: https://nvd.nist.gov/vuln/detail/CVE-2019-13057
An issue was discovered in the server in OpenLDAP before 2.4.48. When
the server administrator delegates rootDN (database admin) privileges
for certain databases but wants to maintain isolation (e.g., for
multi-tenant deployments), slapd does not properly stop a rootDN from
requesting authorization as an identity from another database during a
SASL bind or with a proxyAuthz (RFC 4370) control. (It is not a common
configuration to deploy a system where the server administrator and a
DB administrator enjoy different levels of trust.)
CVE-2019-13565: https://nvd.nist.gov/vuln/detail/CVE-2019-13565
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL
authentication and session encryption, and relying on the SASL
security layers in slapd access controls, it is possible to obtain
access that would otherwise be denied via a simple bind for any
identity covered in those ACLs. After the first SASL bind is
completed, the sasl_ssf value is retained for all new non-SASL
connections. Depending on the ACL configuration, this can affect
different types of operations (searches, modifications, etc.). In
other words, a successful authorization step completed by one user
affects the authorization requirement for a different user.