It was discovered that Red Hat Directory Server and Fedora Directory Server is prone to a temporary denial of service attack (high CPU usage) via crafted LDAP search patterns. LDAP search patterns are internally translated to regular expressions. If the regular expression is matched against specially crafted record already stored in the LDAP, it may cause regular expression NFA to iterate over large amount of states, causing one slapd thread to occupy CPU for excessive amount of time. Additionally, due to a current design of the regular expression handling code, only one slapd thread can execute regular expression NFA code at the time. Because of that, during the processing of such CPU intensive search request, all other search requests using patterns are blocked. Affected version: Red Hat Directory Server 7.1 and 8 Fedora Directory Server 1.1.1
Issue can possibly be triggered by anonymous user, assuming certain value to match regular expression against is already available in the LDAP (hence AC:H): 2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P Authenticated LDAP user with write access to the directory can enter value needed to trigger the problem to the directory: 4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
This issue was discovered and reported by Ulf Weltman of Hewlett Packard.
Lifting embargo.
bug verified. Check for errata : http://errata.devel.redhat.com/errata/show/7676 for "how to verify"
fedora-ds-base-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
fedora-ds-base-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This was addressed via: Red Hat Directory Server 7.1 (for AS v. 3) (RHSA-2008:0596) Red Hat Directory Server 8.0 (for AS v. 4) (RHSA-2008:0602) Red Hat Directory Server 8 (for RHEL 5 Server) (RHSA-2008:0602) Red Hat IPA 1 for RHEL 5 Server (RHSA-2008:0858)