U radu programskog paketa IBM Tivoli Directory Server uočene su dvije nove ranjivosti. IBM Tivoli Directory Server je LDAP (engl. Lightweight Directory Access Protocol) poslužitelj. Prvi propust se javlja u "ibmslapd.exe" kod obrade pojedinih zahtjeva, a može biti iskorišten tako da izazove preljev memorijskog međuspremnika, dok se drugi propust javlja u radu TDS posrednog (eng. proxy) poslužitelja prilikom pohranjivanja korisničkih lozinki. Propusti se mogu iskoristiti za otkrivanje osjetljivih informacija i izvršavanje proizvoljnog programskog koda. Svim se korisnicima preporuča nadogradnja.
Secunia Advisory SA44184
IBM Tivoli Directory Server Two Vulnerabilities
Secunia Advisory SA44184
Get alerted and manage the vulnerability life cycle
Free Trial
Release Date 2011-04-13
Popularity 40 views
Comments 0 comments
Criticality level Moderately criticalModerately critical
Impact Exposure of sensitive information
System access
Where From local network
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Patch
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Software:
IBM Tivoli Directory Server 5.x
IBM Tivoli Directory Server 6.x
Secunia CVSS Score Available in Customer Area
CVE Reference(s) No CVE references.
Description
Two vulnerabilities have been reported in IBM Tivoli Directory Server, which can be exploited by malicious users to disclose sensitive information and by malicious people to compromise a vulnerable system.
1) An error within ibmslapd.exe can be exploited to cause a stack-based buffer overflow.
For more information see vulnerability #2 in:
SA43994
2) The TDS proxy server stores the user's password in cleartext.
For more information see vulnerability #3 in:
SA43994
The vulnerabilities are reported in versions 5.2 and 6.0.
Solution
Apply interim fixes.
Further details available in Customer Area
Provided and/or discovered by
Reported by the vendor.
Original Advisory
IBM (IO14046, IO14045):
http://www.ibm.com/support/docview.wss?uid=swg24029663
http://www.ibm.com/support/docview.wss?uid=swg24029672
Posljednje sigurnosne preporuke