Bugzilla – Bug 1188455
VUL-0: CVE-2021-3652: 389-ds: CRYPT password hash with asterisk allows any bind attempt to succeed
Last modified: 2022-06-23 16:16:47 UTC
rh#1982782 It was found that invalid password hashes were not correctly handled by 389-ds-base. Asterisks, '*', is a method that can be used in NIS database, or /etc/shadow, to disable an account's password. As a result of the flaw, if an LDAP admin imports such an account from a NIS or /etc/shadow database into Directory Server, any password will be valid for that account. Reference : https://github.com/389ds/389-ds-base/issues/4817 References: https://bugzilla.redhat.com/show_bug.cgi?id=1982782 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3652
# maintenance_jira_update_notice openSUSE-SU-2021:2801-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1188151,1188455 CVE References: CVE-2021-3652 JIRA References: Sources used: openSUSE Leap 15.3 (src): 389-ds-1.4.4.16~git16.c1926dfc6-3.4.1
# maintenance_jira_update_notice SUSE-SU-2021:2801-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1188151,1188455 CVE References: CVE-2021-3652 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): 389-ds-1.4.4.16~git16.c1926dfc6-3.4.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice SUSE-SU-2021:2857-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188455 CVE References: CVE-2021-3652 JIRA References: Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): 389-ds-1.4.3.24~git13.7b705e743-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice openSUSE-SU-2021:1211-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188455 CVE References: CVE-2021-3652 JIRA References: Sources used: openSUSE Leap 15.2 (src): 389-ds-1.4.3.24~git13.7b705e743-lp152.2.18.1
Fixes have existed for a while, I forgot to assign back to security.
Hi William, I think we're still missing a submission for SUSE:SLE-15:Update and SUSE:SLE-15-SP1:Update...
(In reply to Thomas Leroy from comment #9) > Hi William, I think we're still missing a submission for SUSE:SLE-15:Update > and SUSE:SLE-15-SP1:Update... There was a QA issue on SP1 that's been resolved now, let me check about 15 ...
Okay was missed from 15, submitting now.
SUSE-SU-2022:2109-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1188455,1195324,1199889 CVE References: CVE-2021-3652,CVE-2021-4091,CVE-2022-1949 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): 389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1 SUSE Linux Enterprise Server 15-LTSS (src): 389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): 389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): 389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2163-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1188455,1195324,1197275,1197345,1199889,1200175 CVE References: CVE-2021-3652,CVE-2021-4091,CVE-2022-0918,CVE-2022-0996,CVE-2022-1949 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): 389-ds-1.4.2.16~git68.efa843752-150100.7.34.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): 389-ds-1.4.2.16~git68.efa843752-150100.7.34.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): 389-ds-1.4.2.16~git68.efa843752-150100.7.34.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): 389-ds-1.4.2.16~git68.efa843752-150100.7.34.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): 389-ds-1.4.2.16~git68.efa843752-150100.7.34.1 SUSE Enterprise Storage 6 (src): 389-ds-1.4.2.16~git68.efa843752-150100.7.34.1 SUSE CaaS Platform 4.0 (src): 389-ds-1.4.2.16~git68.efa843752-150100.7.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.