CVE-2012-0833 – 389: denial of service when using certificate groups

https://notcve.org/view.php?id=CVE-2012-0833

The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server. La funcion acllas__handle_group_entry en servers/plugins/acl/acllas.c en 389 Directory Server anterior a v1.2.10 no maneja adecuadamente las instrucciones de control de acceso (ACIs) que utilizan los grupos de certificados, permitiendo a los usuarios autenticados de LDAP con un certificado de grupo causar una denegación de servicio (bucle infinito y consumo de CPU) mediante la unión ("binding") con el servidor. • http://rhn.redhat.com/errata/RHSA-2012-0813.html http://secunia.com/advisories/48035 http://secunia.com/advisories/49562 https://fedorahosted.org/389/changeset/1bbbb3e5049c1aa0650546efab87ed2f1ea59637/389-ds-base https://fedorahosted.org/389/ticket/162 https://access.redhat.com/security/cve/CVE-2012-0833 https://bugzilla.redhat.com/show_bug.cgi?id=787014 • CWE-264: Permissions, Privileges, and Access Controls •