fedoraproject 389-directory-server CVE-2019-3883 vulnerability in Fedora Project and Other Products
Published on April 17, 2019

product logo product logo product logo
In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.

Vendor Advisory Vendor Advisory NVD

Weakness Type

Missing Release of Resource after Effective Lifetime

The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. When a resource is not released after use, it can allow attackers to cause a denial of service by causing the allocation of resources without triggering their release. Frequently-affected resources include memory, CPU, disk space, power or battery, etc.


Products Associated with CVE-2019-3883

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-3883 are published in these products:

Fedora Project 389 Directory Server
 
Debian Linux
 
Red Hat Enterprise Linux (RHEL)
 

Affected Versions

Red Hat 389-ds-base Version affects up to 1.4.1.2 is affected by CVE-2019-3883

Exploit Probability

EPSS
0.36%
Percentile
57.99%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.