CVE-2019-3883
389-ds-base: DoS via hanging secured connections
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.
En 389-ds-base hasta la versión 1.4.1.2, las peticiones son manejadas por hilos de trabajo. Cada conexión será esperada mediante el trabajador durante un máximo de segundos de 'ioblocktimeout'. Sin embargo, este tiempo de espera se aplica solo para peticiones sin cifrar. Las conexiones que usan SSL/TLS no toman en cuenta este tiempo de espera durante l
It was found that encrypted connections did not honor the 'ioblocktimeout' parameter to end blocking requests. As a result, an unauthenticated attacker could repeatedly start a sufficient number of encrypted connections to block all workers, resulting in a denial of service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-03 CVE Reserved
- 2019-04-17 CVE Published
- 2024-08-04 CVE Updated
- 2024-09-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-772: Missing Release of Resource after Effective Lifetime
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3883 | Issue Tracking | |
https://lists.debian.org/debian-lts-announce/2019/05/msg00008.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html | Mailing List | |
https://pagure.io/389-ds-base/issue/50329 | Issue Tracking | |
https://pagure.io/389-ds-base/pull-request/50331 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:1896 | 2023-04-24 | |
https://access.redhat.com/errata/RHSA-2019:3401 | 2023-04-24 | |
https://access.redhat.com/security/cve/CVE-2019-3883 | 2019-11-05 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1693612 | 2019-11-05 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Fedoraproject Search vendor "Fedoraproject" | 389 Directory Server Search vendor "Fedoraproject" for product "389 Directory Server" | <= 1.4.1.2 Search vendor "Fedoraproject" for product "389 Directory Server" and version " <= 1.4.1.2" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Affected
|