CVE-2015-6908
OpenLDAP 2.4.42 - ber_get_next Denial of Service
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd.
Vulnerabilidad en la función ber_get_next en libraries/liblber/io.c en OpenLDAP 2.4.42 y versiones anteriores, permite a atacantes remotos causar una denegación de servicio (aserción accesible y caída de la aplicación) a través de datos BER manipulados, según lo demostrado por un ataque contra slapd.
A flaw was found in the way the OpenLDAP server daemon (slapd) parsed certain Basic Encoding Rules (BER) data. A remote attacker could use this flaw to crash slapd via a specially crafted packet.
OpenLDAP is an open source suite of Lightweight Directory Access Protocol applications and development tools. LDAP is a set of protocols used to access and maintain distributed directory information services over an IP network. The openldap package contains configuration files, libraries, and documentation for OpenLDAP. A flaw was found in the way the OpenLDAP server daemon parsed certain Basic Encoding Rules data. A remote attacker could use this flaw to crash slapd via a specially crafted packet. All openldap users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-09-11 CVE Reserved
- 2015-09-11 CVE Published
- 2015-09-11 First Exploit
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (20)
| URL | Tag | Source |
|---|---|---|
| http://www.openldap.org/devel/gitweb.cgi?p=openldap.git%3Ba=commit%3Bh=6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 | X_refsource_confirm | |
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html | X_refsource_confirm |
|
| http://www.security-assessment.com/files/documents/advisory/OpenLDAP-ber_get_next-Denial-of-Service.pdf | X_refsource_confirm | |
| http://www.securityfocus.com/bid/76714 | Vdb Entry | |
| http://www.securitytracker.com/id/1033534 | Vdb Entry | |
| https://support.apple.com/HT205637 | X_refsource_confirm |
|
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/38145 | 2015-09-11 | |
| http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240 | 2024-08-06 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openldap Search vendor "Openldap" | Openldap Search vendor "Openldap" for product "Openldap" | <= 2.4.42 Search vendor "Openldap" for product "Openldap" and version " <= 2.4.42" | - |
Affected
| ||||||
| Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | <= 10.11.1 Search vendor "Apple" for product "Mac Os X" and version " <= 10.11.1" | - |
Affected
| ||||||