Bug 454065 - (CVE-2008-2930) CVE-2008-2930 Directory Server: temporary DoS via crafted pattern searches
CVE-2008-2930 Directory Server: temporary DoS via crafted pattern searches
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=hp,reported=20080528,public=20...
: Security
Depends On: 448831
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-04 04:49 EDT by Tomas Hoger
Modified: 2010-12-23 16:12 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 16:12:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-07-04 04:49:51 EDT
It was discovered that Red Hat Directory Server and Fedora Directory Server is
prone to a temporary denial of service attack (high CPU usage) via crafted LDAP
search patterns.  LDAP search patterns are internally translated to regular
expressions.  If the regular expression is matched against specially crafted
record already stored in the LDAP, it may cause regular expression NFA to
iterate over large amount of states, causing one slapd thread to occupy CPU for
excessive amount of time.

Additionally, due to a current design of the regular expression handling code,
only one slapd thread can execute regular expression NFA code at the time. 
Because of that, during the processing of such CPU intensive search request, all
other search requests using patterns are blocked.

Affected version:
Red Hat Directory Server 7.1 and 8
Fedora Directory Server 1.1.1
Comment 1 Tomas Hoger 2008-07-04 04:56:54 EDT
Issue can possibly be triggered by anonymous user, assuming certain value to
match regular expression against is already available in the LDAP (hence AC:H):

  2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P

Authenticated LDAP user with write access to the directory can enter value
needed to trigger the problem to the directory:

  4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
Comment 2 Tomas Hoger 2008-08-08 04:39:07 EDT
This issue was discovered and reported by Ulf Weltman of Hewlett Packard.
Comment 3 Tomas Hoger 2008-08-27 16:16:30 EDT
Lifting embargo.
Comment 4 Yi Zhang 2008-08-29 20:59:55 EDT
bug verified. 

Check for errata : 
http://errata.devel.redhat.com/errata/show/7676

for "how to verify"
Comment 5 Fedora Update System 2008-09-11 12:57:55 EDT
fedora-ds-base-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-09-11 13:04:53 EDT
fedora-ds-base-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2010-12-23 16:12:01 EST
This was addressed via:

Red Hat Directory Server 7.1 (for AS v. 3) (RHSA-2008:0596)
Red Hat Directory Server 8.0 (for AS v. 4)  (RHSA-2008:0602)
Red Hat Directory Server 8 (for RHEL 5 Server) (RHSA-2008:0602)
Red Hat IPA 1 for RHEL 5 Server (RHSA-2008:0858)

Note You need to log in before you can comment on or make changes to this bug.