Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3489: Red Hat Security Advisory: redhat-ds:12 security, bug fix, and enhancement update

An update for the redhat-ds:12 module is now available for Red Hat Directory Server 12.1 for RHEL 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-1055: A flaw was found in RHDS 11 and 12. While browsing entries, LDAP tries to decode the userPassword attribute instead of the userCertificate attribute, which could lead into sensitive information being leaked. This issue could allow an attacker with a local account with cockpit-389-ds running to list processes and display hashed passwords. The highest threat is to data confidentiality.
Red Hat Security Data
#vulnerability#web#red_hat#ldap

Issued:

2023-06-06

Updated:

2023-06-06

RHSA-2023:3489 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: redhat-ds:12 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the redhat-ds:12 module is now available for Red Hat Directory Server 12.1 for RHEL 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration.

Security Fix(es):

  • RHDS: LDAP browser tries to decode userPassword instead of userCertificate attribute (CVE-2023-1055)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Users of Red Hat Directory Server 12 are advised to upgrade to these updated packages.

Affected Products

  • Red Hat Directory Server 12 x86_64

Fixes

  • BZ - 2151865 - dscreate tries to relabel directories for non-root instance
  • BZ - 2168723 - lib389 password policy DN handling is incorrect
  • BZ - 2173517 - CVE-2023-1055 RHDS: LDAP browser tries to decode userPassword instead of userCertificate attribute

Red Hat Directory Server 12

SRPM

389-ds-base-2.1.8-1.module+el9dsrv+18377+a10e6f72.src.rpm

SHA-256: a3f15bbf24802ba47ce879fec112d8846df70956fad01aaef3e55dd660110174

x86_64

389-ds-base-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: 2d14649d81275cc2b8079f8fa00c3aa53be06ee33179469bbb01664aae2a8f1d

389-ds-base-debuginfo-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: bd28a7a0eb24da1bf977dea12550d82b9e45a69031c38f26e0464a48fe024812

389-ds-base-debugsource-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: 3c33f8ce75ca454fcf671253dbacffda4728608bc205d463b4bf2096f2455e75

389-ds-base-devel-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: 4af43536b32ec4ff045c135e4ab98bba9f6de3fb9f70d03c3b66d01c6d0ff1e5

389-ds-base-libs-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: b925dfa058098030db168e70aa11e6e1ef9848767781d62e706db2e9e9ec2d6e

389-ds-base-libs-debuginfo-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: 5bd30de0d6d58d2fa7f5bc898439f987f71f526c338f2e6786d2ee1de3bf2775

389-ds-base-snmp-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: a544cdf37544fe86be5870fab2af5223a90e72dba292d77c95b1372ff22b9e38

389-ds-base-snmp-debuginfo-2.1.8-1.module+el9dsrv+18377+a10e6f72.x86_64.rpm

SHA-256: 53b62e5cdbe0f8332ac467799bbbabf7b95998ae7e368a377625d10ccca1bf0b

cockpit-389-ds-2.1.8-1.module+el9dsrv+18377+a10e6f72.noarch.rpm

SHA-256: 351ca7de27828d6ea58379366ec17b34d1f747870dc6f07041e953f72375e151

python3-lib389-2.1.8-1.module+el9dsrv+18377+a10e6f72.noarch.rpm

SHA-256: e0a1a9d22f7f84a38a49a0c9e3fd9cf5cce2e9c74521906fab1d0e4b98a30154

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-4655-01

Red Hat Security Advisory 2023-4655-01 - Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol server, as well as command-line utilities and Web UI packages for server administration.

RHSA-2023:4655: Red Hat Security Advisory: redhat-ds:11 security, bug fix, and enhancement update

An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.6 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1055: A flaw was found in RHDS 11 and 12. While browsing entries, LDAP tries to decode the userPassword attribute instead of the userCertificate attribute, which could lead into sensitive information being leaked. This issue could allow an attacker with a local account with cockpit-389-ds running to list processes and displ...

Red Hat Security Advisory 2023-3489-01

Red Hat Security Advisory 2023-3489-01 - Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol server, as well as command-line utilities and Web UI packages for server administration.

CVE-2023-1055: LDAP browser tries to decode userPassword instead of userCertificate attribute

A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.