PublicDateAtUSN: 2019-07-26
Candidate: CVE-2019-13565
PublicDate: 2019-07-26 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13565
 https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
 https://ubuntu.com/security/notices/USN-4078-1
 https://ubuntu.com/security/notices/USN-4078-2
Description:
 An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL
 authentication and session encryption, and relying on the SASL security
 layers in slapd access controls, it is possible to obtain access that would
 otherwise be denied via a simple bind for any identity covered in those
 ACLs. After the first SASL bind is completed, the sasl_ssf value is
 retained for all new non-SASL connections. Depending on the ACL
 configuration, this can affect different types of operations (searches,
 modifications, etc.). In other words, a successful authorization step
 completed by one user affects the authorization requirement for a different
 user.
Ubuntu-Description:
Notes:
Bugs:
 https://openldap.org/its/?findid=9052
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932998
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_openldap:
 upstream: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=744a46a1acb93798f4e027290191d6a11dd4c18c
upstream_openldap: released (2.4.48+dfsg-1)
precise/esm_openldap: released (2.4.28-1.1ubuntu4.9)
trusty_openldap: ignored (out of standard support)
trusty/esm_openldap: released (2.4.31-1+nmu2ubuntu8.5+esm1)
xenial_openldap: released (2.4.42+dfsg-2ubuntu3.6)
esm-infra/xenial_openldap: released (2.4.42+dfsg-2ubuntu3.6)
bionic_openldap: released (2.4.45+dfsg-1ubuntu1.3)
disco_openldap: released (2.4.47+dfsg-3ubuntu2.1)
devel_openldap: released (2.4.47+dfsg-3ubuntu3)