製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenLDAP の bind.cpp におけるアクセス制限を回避される脆弱性

Title	OpenLDAP の bind.cpp におけるアクセス制限を回避される脆弱性
Summary	OpenLDAP の back-ndb 内にある bind.cpp は、root Distinguished Name (DN) の認証要求をしないため、アクセス制限を回避される脆弱性が存在します。
Possible impacts	第三者により、任意のパスワードを介して、アクセス制限を回避される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 10, 2011, midnight
Registration Date	April 8, 2011, 1:34 p.m.
Last Update	April 8, 2011, 1:34 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

レッドハット

Red Hat Enterprise Linux Desktop 6

Red Hat Enterprise Linux HPC Node 6

Red Hat Enterprise Linux Server 6

Red Hat Enterprise Linux Workstation 6

OpenLDAP Foundation

OpenLDAP 2.4.24 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1025	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1025
National Vulnerability Database (NVD)
2	CVE-2011-1025	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1025

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-287	https://jvndb.jvn.jp/ja/cwe/CWE-287.html

ベンダー情報

No	Name	URL
OpenLDAP Announce
1	OpenLDAP 2.4.24 available	http://www.openldap.org/lists/openldap-announce/201102/msg00000.html
Red Hat Security Advisory
2	RHSA-2011:0347	https://rhn.redhat.com/errata/RHSA-2011-0347.html
Release Changes
3	Release Changes	http://www.openldap.org/software/release/changes.html

その他

No	Name	URL
Secunia Advisory
1	SA43331	http://secunia.com/advisories/43331
SecurityTracker
2	1025190	http://securitytracker.com/id?1025190
VUPEN Security
3	VUPEN/ADV-2011-0665	http://www.vupen.com/english/advisories/2011/0665

Change Log

No	Changed Details	Date of change
0	[2011年04月08日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-1025

Summary	bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require authentication for the root Distinguished Name (DN), which allows remote attackers to bypass intended access restrictions via an arbitrary password.
Publication Date	March 20, 2011, 11 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:25 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:openldap:openldap:2.4.17:::::::*
cpe:2.3:a:openldap:openldap:2.4.6:::::::*
cpe:2.3:a:openldap:openldap:2.4.11:::::::*
cpe:2.3:a:openldap:openldap:2.4.8:::::::*
cpe:2.3:a:openldap:openldap:2.4.9:::::::*
cpe:2.3:a:openldap:openldap:2.4.16:::::::*
cpe:2.3:a:openldap:openldap:2.4.22:::::::*
cpe:2.3:a:openldap:openldap:2.4.20:::::::*
cpe:2.3:a:openldap:openldap:2.4.15:::::::*
cpe:2.3:a:openldap:openldap:2.4.18:::::::*
cpe:2.3:a:openldap:openldap:2.4.7:::::::*
cpe:2.3:a:openldap:openldap:2.4.23:::::::*
cpe:2.3:a:openldap:openldap:2.4.14:::::::*
cpe:2.3:a:openldap:openldap:2.4.19:::::::*
cpe:2.3:a:openldap:openldap:2.4.12:::::::*
cpe:2.3:a:openldap:openldap:2.4.21:::::::*
cpe:2.3:a:openldap:openldap:2.4.13:::::::*
cpe:2.3:a:openldap:openldap:2.4.10:::::::*

Related information, measures and tools

No	URL	タグ
1	http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
2	http://openwall.com/lists/oss-security/2011/02/24/12
3	http://openwall.com/lists/oss-security/2011/02/25/13
4	http://secunia.com/advisories/43331	Vendor Advisory
5	http://secunia.com/advisories/43718
6	http://security.gentoo.org/glsa/glsa-201406-36.xml
7	http://securitytracker.com/id?1025190
8	http://www.mandriva.com/security/advisories?name=MDVSA-2011:056
9	http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ndb/bind.cpp.diff?r1=1.5&r2=1.8	Patch
10	http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661
11	http://www.openldap.org/lists/openldap-announce/201102/msg00000.html
12	http://www.redhat.com/support/errata/RHSA-2011-0347.html
13	http://www.ubuntu.com/usn/USN-1100-1
14	http://www.vupen.com/english/advisories/2011/0665	Vendor Advisory
15	https://bugzilla.redhat.com/show_bug.cgi?id=680472	Patch
16	http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
17	https://bugzilla.redhat.com/show_bug.cgi?id=680472	Patch
18	http://www.vupen.com/english/advisories/2011/0665	Vendor Advisory
19	http://www.ubuntu.com/usn/USN-1100-1
20	http://www.redhat.com/support/errata/RHSA-2011-0347.html
21	http://www.openldap.org/lists/openldap-announce/201102/msg00000.html
22	http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661
23	http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ndb/bind.cpp.diff?r1=1.5&r2=1.8	Patch
24	http://www.mandriva.com/security/advisories?name=MDVSA-2011:056
25	http://securitytracker.com/id?1025190
26	http://security.gentoo.org/glsa/glsa-201406-36.xml
27	http://secunia.com/advisories/43718
28	http://secunia.com/advisories/43331	Vendor Advisory
29	http://openwall.com/lists/oss-security/2011/02/25/13
30	http://openwall.com/lists/oss-security/2011/02/24/12

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:openldap:openldap:2.4.17:::::::*
cpe:2.3:a:openldap:openldap:2.4.6:::::::*
cpe:2.3:a:openldap:openldap:2.4.11:::::::*
cpe:2.3:a:openldap:openldap:2.4.8:::::::*
cpe:2.3:a:openldap:openldap:2.4.9:::::::*
cpe:2.3:a:openldap:openldap:2.4.16:::::::*
cpe:2.3:a:openldap:openldap:2.4.22:::::::*
cpe:2.3:a:openldap:openldap:2.4.20:::::::*
cpe:2.3:a:openldap:openldap:2.4.15:::::::*
cpe:2.3:a:openldap:openldap:2.4.18:::::::*
cpe:2.3:a:openldap:openldap:2.4.7:::::::*
cpe:2.3:a:openldap:openldap:2.4.23:::::::*
cpe:2.3:a:openldap:openldap:2.4.14:::::::*
cpe:2.3:a:openldap:openldap:2.4.19:::::::*
cpe:2.3:a:openldap:openldap:2.4.12:::::::*
cpe:2.3:a:openldap:openldap:2.4.21:::::::*
cpe:2.3:a:openldap:openldap:2.4.13:::::::*
cpe:2.3:a:openldap:openldap:2.4.10:::::::*