Amazon Linux AMI update for 389-ds-base

Published: 2020-01-16

Risk	Low
Patch available	YES
Number of vulnerabilities	4
CVE-ID	CVE-2018-10871 CVE-2019-10224 CVE-2019-14824 CVE-2019-3883
CWE-ID	CWE-312 CWE-200 CWE-399
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Cleartext storage of sensitive information

EUVDB-ID: #VU23004

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-10871

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists when the Replica and/or retroChangeLog plugins are enabled. A local user can gain access to sensitive information stored in the log files in plain text.

Mitigation

Update the affected packages:

i686:
    389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
    389-ds-base-1.3.9.1-12.65.amzn1.i686
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
    389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686

src:
    389-ds-base-1.3.9.1-12.65.amzn1.src

x86_64:
    389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2020-1334.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU23001

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-10224

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists within the dscreate and dsconf commands in 389-ds-base due to excessive data output, when executed in verbose mode. A local user can gain access to sensitive information, such as the Directory Manager password.

Successful exploitation of the vulnerability requires that the attacker can see the screen or record terminal session.

Mitigation

Update the affected packages:

i686:
    389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
    389-ds-base-1.3.9.1-12.65.amzn1.i686
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
    389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686

src:
    389-ds-base-1.3.9.1-12.65.amzn1.src

x86_64:
    389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2020-1334.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU23002

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14824

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to incorrect permissions in the 'deref' plugin in 389-ds-base when displaying attribute values during search. A remote user in local network can gain access to private attributes, such as password hashes.

Mitigation

Update the affected packages:

i686:
    389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
    389-ds-base-1.3.9.1-12.65.amzn1.i686
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
    389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686

src:
    389-ds-base-1.3.9.1-12.65.amzn1.src

x86_64:
    389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2020-1334.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource management error

EUVDB-ID: #VU20063

Risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-3883

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of tome outs for SSL/TLS connections. A remote authenticated user initiate a large number of SSL/TLS connections and consume all available workers, which will lead to a denial of service attack.

Mitigation

Update the affected packages:

i686:
    389-ds-base-libs-1.3.9.1-12.65.amzn1.i686
    389-ds-base-1.3.9.1-12.65.amzn1.i686
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686
    389-ds-base-devel-1.3.9.1-12.65.amzn1.i686
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686

src:
    389-ds-base-1.3.9.1-12.65.amzn1.src

x86_64:
    389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64
    389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2020-1334.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.