It was discovered that Red Hat Directory Server and Fedora Directory Server is
prone to a temporary denial of service attack (high CPU usage) via crafted LDAP
search patterns. LDAP search patterns are internally translated to regular
expressions. If the regular expression is matched against specially crafted
record already stored in the LDAP, it may cause regular expression NFA to
iterate over large amount of states, causing one slapd thread to occupy CPU for
excessive amount of time.
Additionally, due to a current design of the regular expression handling code,
only one slapd thread can execute regular expression NFA code at the time.
Because of that, during the processing of such CPU intensive search request, all
other search requests using patterns are blocked.
Red Hat Directory Server 7.1 and 8
Fedora Directory Server 1.1.1
Issue can possibly be triggered by anonymous user, assuming certain value to
match regular expression against is already available in the LDAP (hence AC:H):
Authenticated LDAP user with write access to the directory can enter value
needed to trigger the problem to the directory:
This issue was discovered and reported by Ulf Weltman of Hewlett Packard.
Check for errata :
for "how to verify"
fedora-ds-base-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
fedora-ds-base-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This was addressed via:
Red Hat Directory Server 7.1 (for AS v. 3) (RHSA-2008:0596)
Red Hat Directory Server 8.0 (for AS v. 4) (RHSA-2008:0602)
Red Hat Directory Server 8 (for RHEL 5 Server) (RHSA-2008:0602)
Red Hat IPA 1 for RHEL 5 Server (RHSA-2008:0858)