CVE-2018-1346 – NetIQ eDirectory Denial of Service
https://notcve.org/view.php?id=CVE-2018-1346
Addresses denial of service attack to eDirectory versions prior to 9.1. Se trata de un ataque de denegación de servicio (DoS) en eDirectory, en versiones anteriores a la 9.1. • http://www.securityfocus.com/bid/103493 https://www.netiq.com/documentation/edirectory-91/edirectory91_releasenotes/data/edirectory91_releasenotes.html •
CVE-2017-9285 – Login restrictions not applied when using ebaclient against NetIQ eDirectory EBA interface
https://notcve.org/view.php?id=CVE-2017-9285
NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions when "ebaclient" was used, allowing unpermitted access to eDirectory services. NetIQ eDirectory, en versiones anteriores a la 9.0 SP4, no imponía restricciones de inicio de sesión al emplear "ebaclient". Esto permitía el acceso no autorizado a los servicios de eDirectory. • https://bugzilla.suse.com/show_bug.cgi?id=1029077 https://www.netiq.com/documentation/edirectory-9/edirectory904_releasenotes/data/edirectory904_releasenotes.html https://www.novell.com/support/kb/doc.php?id=7016794 • CWE-284: Improper Access Control CWE-287: Improper Authentication •
CVE-2017-7429 – Fix for NetIQ shell code upload
https://notcve.org/view.php?id=CVE-2017-7429
The certificate upload in NetIQ eDirectory PKI plugin before 8.8.8 Patch 10 Hotfix 1 could be abused to upload JSP code which could be used by authenticated attackers to execute JSP applets on the iManager server. La subida de certificados en el plugin NetIQ eDirectory PKI, en versiones anteriores a 8.8.8 Patch 10 Hotfix 1, podría aprovecharse para subir código JSP que puede ser empleado por atacantes autenticados para ejecutar applets JSP en el servidor iManager. • https://bugzilla.suse.com/show_bug.cgi?id=1024957 https://www.netiq.com/documentation/edir88/edir88810hf1_releasenotes/data/edir88810hf1_releasenotes.html https://www.novell.com/support/kb/doc.php?id=3426981 • CWE-295: Improper Certificate Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2017-9277 – existing connection is being used even though eDirectory LDAP server is upgraded to EBA
https://notcve.org/view.php?id=CVE-2017-9277
The LDAP backend in Novell eDirectory before 9.0 SP4 when switched to EBA (Enhanced Background Authentication) kept open connections without EBA. El backend LDAP en Novell eDirectory, en versiones anteriores a la 9.0 SP4, al cambiar a EBA (Enhanced Background Authentication) mantenía las conexiones abiertas sin EBA. • https://bugzilla.suse.com/show_bug.cgi?id=1005473 https://www.netiq.com/documentation/edirectory-9/edirectory904_releasenotes/data/edirectory904_releasenotes.html https://www.novell.com/support/kb/doc.php?id=7016794 •
CVE-2017-9267 – eDirectory LDAP peer certificate validation issue
https://notcve.org/view.php?id=CVE-2017-9267
In Novell eDirectory before 9.0.3.1 the LDAP interface was not strictly enforcing cipher restrictions allowing weaker ciphers to be used during SSL BIND operations. En Novell eDirectory, en versiones anteriores a la 9.0.3.1, la interfaz LDAP no imponía de forma estricta las restricciones de cifrado, lo que permite que cifrados débiles se empleen durante las operaciones SSL BIND. • https://www.novell.com/support/kb/doc.php?id=7016794 • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •