Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2016-773

Related Vulnerabilities: CVE-2016-4992   CVE-2016-5405   CVE-2016-5416  

CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attackIt was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries. CVE-2016-5416 389-ds-base: ACI readable by anonymous userIt was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information. CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operationAn information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not.

Source

ALAS-2016-773

Amazon Linux AMI Security Advisory: ALAS-2016-773
Advisory Release Date: 2016-12-15 00:28 Pacific
Advisory Updated Date: 2016-12-15 23:48 Pacific
Severity: Medium
Issue Overview:

CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack
It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries.

CVE-2016-5416 389-ds-base: ACI readable by anonymous user
It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information.

CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation
An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not.


Affected Packages:

389-ds-base


Issue Correction:
Run yum update 389-ds-base to update your system.

New Packages:
i686:
    389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.i686
    389-ds-base-devel-1.3.5.10-11.49.amzn1.i686
    389-ds-base-snmp-1.3.5.10-11.49.amzn1.i686
    389-ds-base-1.3.5.10-11.49.amzn1.i686
    389-ds-base-libs-1.3.5.10-11.49.amzn1.i686

src:
    389-ds-base-1.3.5.10-11.49.amzn1.src

x86_64:
    389-ds-base-1.3.5.10-11.49.amzn1.x86_64
    389-ds-base-snmp-1.3.5.10-11.49.amzn1.x86_64
    389-ds-base-libs-1.3.5.10-11.49.amzn1.x86_64
    389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.x86_64
    389-ds-base-devel-1.3.5.10-11.49.amzn1.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started