Bug 1730477 (CVE-2019-13565)

Summary: CVE-2019-13565 openldap: ACL restrictions bypass due to sasl_ssf value being set permanently
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aprajapa, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, csutherl, darran.lofthouse, dosoudil, gzaronik, iweiss, jawilson, jclere, jperkins, krathod, kwills, lgao, mbabacek, msochure, msvehla, msweiker, mturk, myarboro, nwallace, pmackay, psotirop, rguimara, rsvoboda, scorneli, security-response-team, smaestri, spichugi, tom.jenkinson, twalsh, vashirov, weli, yjog, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openldap 2.4.48 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-10 16:15:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1738898, 1738926, 1740758    
Bug Blocks: 1730478    

Description Pedro Sampaio 2019-07-16 20:10:47 UTC 
A flaw was found in OpenLDAP before version 2.4.48. An improper authorization issue in cyrus-sasl based SASL mechanisms may lead to ACL bypass.

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1728902
Comment 1 Joshua Padman 2019-08-06 05:33:36 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Web Server 2 
 * Red Hat JBoss Core Services

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 2 Stefan Cornelius 2019-08-08 11:36:53 UTC 
External References:

http://www.openldap.org/lists/openldap-announce/201907/msg00001.html
https://openldap.org/its/?findid=9052
Comment 3 Stefan Cornelius 2019-08-08 11:37:10 UTC 
Created openldap tracking bugs for this issue:

Affects: fedora-all [bug 1738898]
Comment 4 Stefan Cornelius 2019-08-08 11:47:27 UTC 
Patch:
https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0fa0f8ff078a3a49a19574eecaea797b7a55a665
Comment 16 Doran Moppert 2021-04-14 05:12:07 UTC 
Statement:

This issue did not affect the versions of openldap as shipped with Red Hat Enterprise Linux 8, as it only affects the openldap-servers package, which is not shipped.