CVE-2019-3883 — Missing Release of Resource after Effective Lifetime in RED HAT 389-ds-base

CWE-772 — Missing Release of Resource after Effective Lifetime7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 25.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Port389 389-ds-base Fedoraproject 389 Directory Server RED HAT 389-ds-base +2 more

Timeline

PublishedApr 17

Latest updateMay 13

Description

In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Debianport389/389-ds-base< 1.4.1.5-1+2

▶CVEListV5red_hat/389-ds-baseaffects up to 1.4.1.2

▶NVDfedoraproject/389_directory_server1.4.1.2

Also affects: Debian Linux 8.0, Enterprise Linux 6.0

🔴Vulnerability Details

GHSA

GHSA-c65q-p9xj-798w: In 389-ds-base up to version 1↗2022-05-13

▶

OSV

CVE-2019-3883: In 389-ds-base up to version 1↗2019-04-17

▶

CVEList

CVE-2019-3883: In 389-ds-base up to version 1↗2019-04-17

▶

📋Vendor Advisories

Red Hat

389-ds-base: DoS via hanging secured connections↗2019-04-12

▶

Debian

CVE-2019-3883: 389-ds-base - In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. E...↗2019

▶

💬Community

Bugzilla

CVE-2019-3883 389-ds-base: DoS via hanging secured connections↗2019-03-28

▶