SVG:Advisory-SVG-2015-CVE-2015-6908
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-CVE-2015-6908
** White information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** Title: EGI SVG Advisory 'Moderate' risk - Openldap remote DoS vulnerability - CVE-2015-6908 Date: 2015-10-06 Updated: 2016-07-27 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-CVE-2015-6908 Introduction ============ **Originally** A vulnerability exists in OpenLDAP which allows unauthenticated remote DoS, and an exploit is publicly available. BDII, which is used to find information on deployed services in the Grid, is dependent on OpenLDAP. However, the latest version of OpenLDAP does not work reliably with BDII. **UPDATE** The version of OpenLDAP available with RedHat 6.8 should work with BDII and solve the vulnerability issue. This is now available in Scientific Linux 6.8 and CentOS too. Details ======= Previously:-- For more information see [R 1] and [R 2] The public exploit has been sucessfully tested by the reporter of this issue, and the EGI Grid infrastructure may be seen as vulnerable to a trivial remote DoS attack. It is fairly easy to attack a site and bring down services. However, it's easy to detect that the service has crashed and restart it, and given suitable logs it should be easy to see where the attacks are coming from and block them using a firewall. The latest version of OpenLDAP in some cases crashes under high load, and doesn't work reliably with BDII. Hence upgrading may impact service without the service being attacked, so upgrade is not recommended at present as described in [R 3] **UPDATE**:- The version of OpenLDAP available with RedHat 6.8 should work with BDII and solve the vulnerability issue. This is now available in Scientific Linux 6.8 and CentOS too. Risk category ============= This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team. Affected software ================= This is fully resolved in version openldap-2.4.40-12.el6 for RedHat6 and derivatives, both in terms of not being vulnerable, and working efficiently with BDII. Mitigation ========== Sites should check their logs if services related to OpenLDAP, BDII apear to crash for no reason. Component installation information ================================== Updated:-- openldap version fixing the vulnerability in SL6 AND which works reliably with BDII is openldap-2.4.40-12.el6 This is available in RedHat 6.8 and its derivatives. Note that the bdii service needs to be restarted after updating openldap Recommendations =============== Previously:-- At this time there is no openldap version that has the fix _and_ works reliably for the BDII. Sites are recommended to keep using the last stable version for resource, site and top BDII services. If sites find that BDII is crashing, and they have not upgraded OpenLDAP they should investigate their logs to see if there is a possible incident. UPDATE:-- This is fully resolved if sites upgrade to RedHat 6.8 or derivatives, so sites should update to a suitable version when it is convenient if they have not done so already. Other Information ================== This issue is DoS, and DoS are normally rated as 'Low' risk. However, given that a publicly available exploit is available which does not require authentication in this case we have assessed it as 'Moderate' risk, due to the potential impact on the availability of the infrastructure. Previous statement:-- This is also being distributed as 'Amber', when normally a Moderate risk vulnerability would be distributed as 'White', to avoid drawing attention to the fact that this issue exists in EGI andis not resolved. **UPDATE** The issue is now resolved in the version of OpenLDAP with RedHat Version 6.8 which is also available in Scientific Linux 6.8 and CentOS Credit ====== EGI SVG was alerted to this vulnerability by Jan Astalos References ========== [R 1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240 [R 2] NVD info https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6908 [R 3] RedHat bug https://bugzilla.redhat.com/show_bug.cgi?id=1257543 [R 4] https://rhn.redhat.com/errata/RHBA-2016-0943.html Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-09-30 SVG alerted to this issue by Jan Astalos 2015-09-30 Acknowledgement from the EGI SVG to the reporter 2015-09-30 Discussion on potential impact, and risk 2015-09-30 Decision to simply send an advisory, to inform sites of the situation with OpenLDAP 2015-10-01 Further discussions on contents of the advisory 2015-10-06 Advisory sent to sites 2016-07-25 New version of OpenLDAP is now available in Scientific Linux 6.8 which fully resolves this issue. 2016-07-27 Advisory updated 2016-08-15 Public disclosure