Vulnerability Name:

CVE-2008-2952 (CCN-43515)

Assigned:2008-06-26
Published:2008-06-26
Updated:2018-10-11
Summary:liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-399
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2008-2952

Source: APPLE
Type: UNKNOWN
APPLE-SA-2008-07-31

Source: SUSE
Type: UNKNOWN
SUSE-SR:2008:021

Source: CCN
Type: RHSA-2008-0583
Important: openldap security update

Source: CCN
Type: SA30853
OpenLDAP ASN.1 BER Decoding Denial of Service

Source: SECUNIA
Type: Vendor Advisory
30853

Source: SECUNIA
Type: Vendor Advisory
30917

Source: SECUNIA
Type: Vendor Advisory
30996

Source: CCN
Type: SA31326
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
31326

Source: SECUNIA
Type: Vendor Advisory
31364

Source: SECUNIA
Type: Vendor Advisory
31436

Source: SECUNIA
Type: Vendor Advisory
32254

Source: SECUNIA
Type: Vendor Advisory
32316

Source: GENTOO
Type: UNKNOWN
GLSA-200808-09

Source: CCN
Type: SECTRACK ID: 1020405
OpenLDAP ber_get_next() Bug Lets Remote Users Deny Service

Source: CCN
Type: Apple Web site
About Security Update 2008-005

Source: CCN
Type: ASA-2008-348
openldap security update (RHSA-2008-0583)

Source: CONFIRM
Type: UNKNOWN
http://wiki.rpath.com/Advisories:rPSA-2008-0249

Source: DEBIAN
Type: UNKNOWN
DSA-1650

Source: DEBIAN
Type: DSA-1650
openldap2.3 -- denial of service

Source: CCN
Type: GLSA-200808-09
OpenLDAP: Denial of Service vulnerability

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2008:144

Source: CCN
Type: OpenLDAP CVS repository
OpenLDAP

Source: CONFIRM
Type: UNKNOWN
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580

Source: CONFIRM
Type: UNKNOWN
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

Source: CCN
Type: OpenLDAP Web site
Download

Source: MLIST
Type: UNKNOWN
[oss-security 20080701 Re: [oss-security] openldap DoS

Source: MLIST
Type: UNKNOWN
[oss-security] 20080713 Re: openldap DoS

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0583

Source: BUGTRAQ
Type: UNKNOWN
20080811 rPSA-2008-0249-1 openldap openldap-clients openldap-servers

Source: BID
Type: UNKNOWN
30013

Source: CCN
Type: BID-30013
OpenLDAP BER Decoding Remote Denial of Service Vulnerability

Source: SECTRACK
Type: UNKNOWN
1020405

Source: CCN
Type: TLSA-2008-38
Multiple vulnerabilities exist in openldap

Source: CCN
Type: USN-634-1
OpenLDAP vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-634-1

Source: VUPEN
Type: Vendor Advisory
ADV-2008-1978

Source: VUPEN
Type: Vendor Advisory
ADV-2008-2268

Source: MISC
Type: UNKNOWN
http://www.zerodayinitiative.com/advisories/ZDI-08-052/

Source: XF
Type: UNKNOWN
openldap-bergetnext-dos(43515)

Source: XF
Type: UNKNOWN
openldap-bergetnext-dos(43515)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-2645

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10662

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-6029

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-6062

Source: SUSE
Type: SUSE-SR:2008:021
SUSE Security Summary Report

Source: CCN
Type: ZDI-08-052
OpenLDAP BER Decoding Remote DoS Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openldap:openldap:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.8:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.10:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.11:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.12:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.13:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.14:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.15:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.16:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.17:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.18:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.19:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.20:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.21:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.22:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.23:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.24:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.25:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.26:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.27:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.28:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.29:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.30:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.31:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.32:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.33:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.34:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.35:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.36:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.37:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.38:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.39:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.40:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.41:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.42:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.43:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.4.10:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

    • Configuration RedHat 9:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openldap:openldap:2.3.41:*:*:*:*:*:*:*
  • OR cpe:/a:openldap:openldap:2.3.42:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:2.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06:*:lts:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:x86_64:*:*:*:*:*
  • OR cpe:/o:turbolinux:turbolinux:fuji:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:x86-64:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:x86-64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.6.z:ga:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.6.z:ga:es:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.4.11:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x_server:10.4.11:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04:*:lts:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.5.4:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x_server:10.5.4:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20082952
    V
    		CVE-2008-2952
    2017-09-27
    oval:org.mitre.oval:def:29038
    P
    		RHSA-2008:0583 -- openldap security update (Important)
    2015-08-17
    oval:org.mitre.oval:def:17439
    P
    		USN-634-1 -- openldap2.2, openldap2.3 vulnerability
    2014-06-30
    oval:org.mitre.oval:def:18545
    P
    		DSA-1650-1 openldap2.3 - denial of service
    2014-06-23
    oval:org.mitre.oval:def:8150
    P
    		DSA-1650 openldap2.3 -- denial of service
    2014-06-23
    oval:org.mitre.oval:def:22578
    P
    		ELSA-2008:0583: openldap security update (Important)
    2014-05-26
    oval:org.mitre.oval:def:10662
    V
    		liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
    2013-04-29
    oval:org.debian:def:1650
    V
    		denial of service
    2008-10-12
    oval:com.redhat.rhsa:def:20080583
    P
    		RHSA-2008:0583: openldap security update (Important)
    2008-07-09
    BACK
    openldap openldap 2.2.4
    openldap openldap 2.2.5
    openldap openldap 2.2.6
    openldap openldap 2.2.7
    openldap openldap 2.2.8
    openldap openldap 2.2.9
    openldap openldap 2.3.4
    openldap openldap 2.3.5
    openldap openldap 2.3.6
    openldap openldap 2.3.7
    openldap openldap 2.3.8
    openldap openldap 2.3.9
    openldap openldap 2.3.10
    openldap openldap 2.3.11
    openldap openldap 2.3.12
    openldap openldap 2.3.13
    openldap openldap 2.3.14
    openldap openldap 2.3.15
    openldap openldap 2.3.16
    openldap openldap 2.3.17
    openldap openldap 2.3.18
    openldap openldap 2.3.19
    openldap openldap 2.3.20
    openldap openldap 2.3.21
    openldap openldap 2.3.22
    openldap openldap 2.3.23
    openldap openldap 2.3.24
    openldap openldap 2.3.25
    openldap openldap 2.3.26
    openldap openldap 2.3.27
    openldap openldap 2.3.28
    openldap openldap 2.3.29
    openldap openldap 2.3.30
    openldap openldap 2.3.31
    openldap openldap 2.3.32
    openldap openldap 2.3.33
    openldap openldap 2.3.34
    openldap openldap 2.3.35
    openldap openldap 2.3.36
    openldap openldap 2.3.37
    openldap openldap 2.3.38
    openldap openldap 2.3.39
    openldap openldap 2.3.40
    openldap openldap 2.3.41
    openldap openldap 2.3.42
    openldap openldap 2.3.43
    openldap openldap 2.4.10
    openldap openldap 2.3.41
    openldap openldap 2.3.42
    gentoo linux *
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    mandrakesoft mandrake multi network firewall 2.0
    canonical ubuntu 6.06
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 3.0
    turbolinux turbolinux fuji
    redhat enterprise linux 5
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2007.1
    mandrakesoft mandrake linux 2008.0
    debian debian linux 4.0
    canonical ubuntu 7.04
    redhat enterprise linux 5
    canonical ubuntu 7.10
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2008.1 x86_64
    mandrakesoft mandrake linux 2007.1
    redhat enterprise linux 4.6.z ga
    redhat enterprise linux 4.6.z ga
    apple mac os x 10.4.11
    apple mac os x server 10.4.11
    mandrakesoft mandrake linux 2008.1
    canonical ubuntu 8.04
    apple mac os x 10.5.4
    apple mac os x server 10.5.4