製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenLDAP における整数アンダーフローの脆弱性

Title	OpenLDAP における整数アンダーフローの脆弱性
Summary	OpenLDAP には、整数アンダーフローの脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 23, 2020, midnight
Registration Date	Oct. 6, 2021, 4:58 p.m.
Last Update	Oct. 6, 2021, 4:58 p.m.

CVSS3.0 : 重要
Score	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

アップル

Apple Mac OS X

macOS Big Sur

OpenLDAP Foundation

OpenLDAP 2.4.57 未満

Debian

Debian GNU/Linux

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-36221	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36221
National Vulnerability Database (NVD)
2	CVE-2020-36221	https://nvd.nist.gov/vuln/detail/CVE-2020-36221

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-191	https://cwe.mitre.org/data/definitions/191.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT212529	https://support.apple.com/en-us/HT212529
2	HT212530	https://support.apple.com/en-us/HT212530
3	HT212531	https://support.apple.com/en-us/HT212531
Apple セキュリティアップデート
4	HT212529	https://support.apple.com/ja-jp/HT212529
5	HT212530	https://support.apple.com/ja-jp/HT212530
6	HT212531	https://support.apple.com/ja-jp/HT212531
Debian
7	[SECURITY] [DLA 2544-1] openldap security update	https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html
Debian Security Advisory
8	DSA-4845-1	https://www.debian.org/security/2021/dsa-4845
GitLab
9	ITS#9404 fix serialNumberAndIssuerCheck	https://git.openldap.org/openldap/openldap/-/commit/38ac838e4150c626bbfa0082b7e2cf3a2bb4df31
10	ITS#9424 fix serialNumberAndIssuerSerialCheck	https://git.openldap.org/openldap/openldap/-/commit/58c1748e81c843c5b6e61648d2a4d1d82b47e842
11	OPENLDAP_REL_ENG_2_4_57	https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57
OpenLDAP Issue Tracking System
12	Issue 9404 - Integer undeflow causes segfault in OpenLDAP: slapd v2.X - schema_init.c:serialNumberAndIssuerCheck:3343	https://bugs.openldap.org/show_bug.cgi?id=9404
13	Issue 9424 - Integer undeflow causes segfault in OpenLDAP: slapd v2.X - schema_init.c:serialNumberAndIssuerCheck:4478	https://bugs.openldap.org/show_bug.cgi?id=9424

Change Log

No	Changed Details	Date of change
1	[2021年10月06日] 掲載	Oct. 6, 2021, 4:58 p.m.

NVD Vulnerability Information

CVE-2020-36221

Summary	An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
Publication Date	Jan. 27, 2021, 3:15 a.m.
Registration Date	Jan. 27, 2021, 12:10 p.m.
Last Update	Nov. 21, 2024, 2:29 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:openldap:openldap::::::::					2.4.57

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x::::::::	10.14.0			10.14.6
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-001::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-002::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-003::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-004::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-005::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-006::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-007::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-004::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-005::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-006::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update_2::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:-::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-007::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-001::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-002::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-003::::::
cpe:2.3:o:apple:macos::::::::	11.1			11.4

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2021/May/64	Mailing List Third Party Advisory
2	http://seclists.org/fulldisclosure/2021/May/64	Mailing List Third Party Advisory
3	http://seclists.org/fulldisclosure/2021/May/65	Mailing List Third Party Advisory
4	http://seclists.org/fulldisclosure/2021/May/65	Mailing List Third Party Advisory
5	http://seclists.org/fulldisclosure/2021/May/70	Mailing List Third Party Advisory
6	http://seclists.org/fulldisclosure/2021/May/70	Mailing List Third Party Advisory
7	https://bugs.openldap.org/show_bug.cgi?id=9404	Issue Tracking Vendor Advisory
8	https://bugs.openldap.org/show_bug.cgi?id=9404	Issue Tracking Vendor Advisory
9	https://bugs.openldap.org/show_bug.cgi?id=9424	Issue Tracking Vendor Advisory
10	https://bugs.openldap.org/show_bug.cgi?id=9424	Issue Tracking Vendor Advisory
11	https://git.openldap.org/openldap/openldap/-/commit/38ac838e4150c626bbfa0082b7e2cf3a2bb4df31	Patch Vendor Advisory
12	https://git.openldap.org/openldap/openldap/-/commit/38ac838e4150c626bbfa0082b7e2cf3a2bb4df31	Patch Vendor Advisory
13	https://git.openldap.org/openldap/openldap/-/commit/58c1748e81c843c5b6e61648d2a4d1d82b47e842	Patch Vendor Advisory
14	https://git.openldap.org/openldap/openldap/-/commit/58c1748e81c843c5b6e61648d2a4d1d82b47e842	Patch Vendor Advisory
15	https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57	Release Notes Vendor Advisory
16	https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57	Release Notes Vendor Advisory
17	https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
18	https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
19	https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
20	https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
21	https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html	Mailing List Third Party Advisory
22	https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html	Mailing List Third Party Advisory
23	https://security.netapp.com/advisory/ntap-20210226-0002/	Third Party Advisory
24	https://security.netapp.com/advisory/ntap-20210226-0002/	Third Party Advisory
25	https://support.apple.com/kb/HT212529	Third Party Advisory
26	https://support.apple.com/kb/HT212529	Third Party Advisory
27	https://support.apple.com/kb/HT212530	Third Party Advisory
28	https://support.apple.com/kb/HT212530	Third Party Advisory
29	https://support.apple.com/kb/HT212531	Third Party Advisory
30	https://support.apple.com/kb/HT212531	Third Party Advisory
31	https://www.debian.org/security/2021/dsa-4845	Third Party Advisory
32	https://www.debian.org/security/2021/dsa-4845	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-191	整数アンダーフロー	https://cwe.mitre.org/data/definitions/191.html

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x::::::::	10.14.0			10.14.6
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-001::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-002::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-003::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-004::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-005::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-006::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-007::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-004::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-005::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2019-006::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:supplemental_update_2::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:-::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2020-007::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-001::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-002::::::
cpe:2.3:o:apple:mac_os_x:10.14.6:security_update_2021-003::::::
cpe:2.3:o:apple:macos::::::::	11.1			11.4