Headline
Ubuntu Security Notice USN-5424-1
Ubuntu Security Notice 5424-1 - It was discovered that OpenLDAP incorrectly handled certain SQL statements within LDAP queries in the experimental back-sql backend. A remote attacker could possibly use this issue to perform an SQL injection attack and alter the database.
==========================================================================
Ubuntu Security Notice USN-5424-1
May 17, 2022
openldap vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
OpenLDAP could be made to perform arbitrary modifications to the database.
Software Description:
- openldap: Lightweight Directory Access Protocol
Details:
It was discovered that OpenLDAP incorrectly handled certain SQL statements
within LDAP queries in the experimental back-sql backend. A remote attacker
could possibly use this issue to perform an SQL injection attack and alter
the database.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
slapd 2.5.11+dfsg-1~exp1ubuntu3.1
Ubuntu 21.10:
slapd 2.5.6+dfsg-1~exp1ubuntu1.1
Ubuntu 20.04 LTS:
slapd 2.4.49+dfsg-2ubuntu1.9
Ubuntu 18.04 LTS:
slapd 2.4.45+dfsg-1ubuntu1.11
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5424-1
CVE-2022-29155
Package Information:
https://launchpad.net/ubuntu/+source/openldap/2.5.11+dfsg-1~exp1ubuntu3.1
https://launchpad.net/ubuntu/+source/openldap/2.5.6+dfsg-1~exp1ubuntu1.1
https://launchpad.net/ubuntu/+source/openldap/2.4.49+dfsg-2ubuntu1.9
https://launchpad.net/ubuntu/+source/openldap/2.4.45+dfsg-1ubuntu1.11
Related news
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Ubuntu Security Notice 5424-2 - USN-5424-1 fixed a vulnerability in OpenLDAP. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that OpenLDAP incorrectly handled certain SQL statements within LDAP queries in the experimental back-sql backend. A remote attacker could possibly use this issue to perform an SQL injection attack and alter the database.
In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.