Vulnerability Name:

CVE-2020-25710 (CCN-192487)

Assigned:2020-11-02
Published:2020-11-02
Updated:2021-09-14
Summary:A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-617
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2020-25710

Source: CCN
Type: OpenLDAP Web site
OpenLDAP

Source: CCN
Type: Red Hat Bugzilla – Bug 1899678
(CVE-2020-25710) - CVE-2020-25710 openldap: assertion failure in CSN normalization with invalid input

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1899678

Source: XF
Type: UNKNOWN
openldap-cve202025710-dos(192487)

Source: CCN
Type: OpenLDAP GIT Repository
OpenLDAP

Source: MISC
Type: Patch, Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/ab3915154e69920d480205b4bf5ccb2b391a0a1f#a2feb6ed0257c21c6672793ee2f94eaadc10c72c

Source: MLIST
Type: Mailing List, Third Party Advisory
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Source: MLIST
Type: Mailing List, Third Party Advisory
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20201204 [SECURITY] [DLA 2481-1] openldap security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210716-0003/

Source: DEBIAN
Type: Third Party Advisory
DSA-4792

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6568365 (QRadar Network Packet Capture)
IBM QRadar Network Packet Capture is using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6601951 (QRadar Network Security)
IBM QRadar Network Security is affected by vulnerabilities in openldap. (CVE-2020-25709, CVE-2020-25710)

Source: CCN
Type: IBM Security Bulletin 6605875 (Security Access Manager Appliance)
Security Vulnerabilities have been fixed in IBM Security Access Manager appliance (CVE-2022-24407, CVE-2020-25709, CVE-2020-25710)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-25710

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openldap:openldap:*:*:*:*:*:*:*:* (Version < 2.4.56)

    • Configuration 2:
  • cpe:/a:redhat:jboss_core_services:-:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:openldap:openldap:-:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:qradar_network_security:5.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_network_security:5.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_network_packet_capture:7.3:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:security_access_manager_appliance_firmware:9.0.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_access_manager:9.0.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8047
    P
    		openldap2-devel-32bit-2.4.46-150200.14.11.2 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7609
    P
    		libldap-2_4-2-2.4.46-150200.14.11.2 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3390
    P
    		unrar-5.0.14-3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3024
    P
    		bind-9.11.2-3.10.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3412
    P
    		yast2-core-3.3.1-1.7 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95042
    P
    		openldap2-devel-32bit-2.4.46-150200.14.5.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94502
    P
    		avahi-0.8-150400.5.73 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94881
    P
    		ImageMagick-7.1.0.9-150400.4.7 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94654
    P
    		libldap-2_4-2-2.4.46-150200.14.5.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95207
    P
    		libopencv3_4-3.4.16-150400.1.9 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:1080
    P
    		Security update for ImageMagick (Moderate) (in QA)
    2022-06-16
    oval:org.opensuse.security:def:151
    P
    		libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2022-06-13
    oval:com.redhat.rhsa:def:20220621
    P
    		RHSA-2022:0621: openldap security update (Moderate)
    2022-02-22
    oval:org.opensuse.security:def:101594
    P
    		Security update for permissions (Moderate)
    2022-01-20
    oval:org.opensuse.security:def:101920
    P
    		Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP3) (Important)
    2021-09-16
    oval:org.opensuse.security:def:4472
    P
    		Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP5) (Important)
    2021-08-17
    oval:org.opensuse.security:def:2009
    P
    		openldap2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63098
    P
    		openldap2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:71910
    P
    		libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62169
    P
    		libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:72747
    P
    		openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100927
    P
    		libldap-2_4-2-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1939
    P
    		openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:63028
    P
    		openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101286
    P
    		openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101215
    P
    		libquicktime-1.2.4+git20180804.fff99cd-1.19 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:102286
    P
    		Security update for the Linux Kernel (Important)
    2021-06-15
    oval:org.opensuse.security:def:110979
    P
    		Security update for openldap2 (Moderate)
    2021-01-18
    oval:org.opensuse.security:def:110646
    P
    		Security update for openldap2 (Moderate)
    2021-01-17
    oval:org.opensuse.security:def:24058
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:23152
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:51879
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:49186
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:4748
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:23564
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:52046
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:51140
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:23891
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:125524
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:20715
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:51552
    P
    		Security update for openldap2 (Moderate)
    2021-01-15
    oval:org.opensuse.security:def:67535
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:37511
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:60236
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:96866
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:45071
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:100270
    P
    		 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:95573
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:64479
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:108260
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:117774
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:75816
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:26034
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:39264
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:87366
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:65561
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:108586
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:117875
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:42796
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:5659
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:32902
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:40641
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:5021
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:73601
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:66748
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:108952
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:58725
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:43694
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:6446
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:34413
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:107881
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:117396
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    oval:org.opensuse.security:def:74629
    P
    		Security update for openldap2 (Moderate)
    2021-01-14
    BACK
    openldap openldap *
    redhat jboss core services -
    redhat jboss enterprise application platform 5.0.0
    redhat jboss enterprise web server 2.0.0
    redhat enterprise linux 5.0
    redhat enterprise linux 6.0
    redhat enterprise linux 7.0
    debian debian linux 9.0
    fedoraproject fedora 33
    openldap openldap -
    ibm qradar network security 5.4.0
    ibm qradar network security 5.5.0
    ibm qradar network packet capture 7.3
    ibm security access manager appliance firmware 9.0.7.0
    ibm security access manager 9.0.7.1
    ibm cloud pak for security 1.7.2.0