CVE编号
CVE-2019-13565利用情况
暂无补丁情况
官方补丁披露时间
2019-07-27漏洞描述
2.4.48之前在OpenLDAP 2.x中发现了一个问题。使用SASL身份验证和会话加密,并依赖slapd访问控制中的SASL安全层时,可以获得访问权限,否则将通过对这些ACL中涵盖的任何身份的简单绑定来拒绝访问。完成第一个SASL绑定后,将为所有新的非SASL连接保留sasl_ssf值。根据ACL配置,这可能会影响不同类型的操作(搜索,修改等)。换句话说,一个用户完成的成功授权步骤会影响不同用户的授权要求。解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html | |
| http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html | |
| http://seclists.org/fulldisclosure/2019/Dec/26 | |
| https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a70533... | |
| https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db560... | |
| https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61... | |
| https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html | |
| https://seclists.org/bugtraq/2019/Dec/23 | |
| https://support.apple.com/kb/HT210788 | |
| https://support.f5.com/csp/article/K98008862?utm_source=f5support&utm_medium=RSS | |
| https://usn.ubuntu.com/4078-1/ | |
| https://usn.ubuntu.com/4078-2/ | |
| https://www.openldap.org/its/index.cgi/?findid=9052 | |
| https://www.openldap.org/lists/openldap-announce/201907/msg00001.html | |
| https://www.oracle.com/security-alerts/cpuapr2020.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | openldap | openldap | * |
From (including) 2.0 |
Up to (including) 2.4.47 |
||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.10 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.11 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.12 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.13 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.14 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.15 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.7 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.8 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.9 | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_edge | openldap | * |
Up to (excluding) 2.4.48-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | openldap | * |
Up to (excluding) 2.4.47+dfsg-3+deb10u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_8 | openldap | * |
Up to (excluding) 2.4.40+dfsg-1+deb8u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | openldap | * |
Up to (excluding) 2.4.44+dfsg-5+deb9u3 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.0 | openldap | * |
Up to (excluding) 2.4.46-lp150.13.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.1 | openldap | * |
Up to (excluding) 2.4.46-lp151.10.3.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP4 | openldap | * |
Up to (excluding) 2.4.41-18.63.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_14.04 | openldap | * |
Up to (excluding) 2.4.31-1+nmu2ubuntu8.5+esm1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_16.04 | openldap | * |
Up to (excluding) 2.4.42+dfsg-2ubuntu3.6 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_18.04 | openldap | * |
Up to (excluding) 2.4.45+dfsg-1ubuntu1.3 |
|||||
- 攻击路径 远程
- 攻击复杂度 复杂
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 100
还没有评论,来说两句吧...