Products and Solutions Training Support Partners How to Buy Contact | About us | Press & Media | Investor Relations

OpenLDAP vulnerability

Stonesoft Corp. Security Advisory

Date: 15 January 2003
Title: OpenLDAP vulnerability
Refs:
Debian: DSA-227-1

The information contained in this advisory is provided on an as-is basis. Stonesoft does not make any warranties of any kind with respect to the information contained in this advisory. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL STONESOFT, CORP. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS ADVISORY.

If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, thensuch provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction.

1. Overview

Debian announced 13th January 2003, that OpenLDAP2 software prior to version 2.0.23-6.3 contains potentially expoitable remote buffer overflow vulnerability. On the same day OpenLDAP2 2.0.23-6.3 was released that fixes those potential vulnerabilities.

2. StoneGate

StoneGate uses OpenLDAP server for user authentication on firewall engines. The default firewall policy allows only the StoneGate management server to connect the engine's LDAP server. The connection is further secured with SSL tunnel and authenticated with certificates. No unauthorized party should be able to connect the vulnerable LDAP server to execute an exploit.

All StoneGate engines up to and including version 2.0.7 have a vulnerable LDAP server.

An updated version of OpenLDAP will be included in StoneGate engine version 2.0.8, which will be automatically sent to customers having a valid support and maintenance contract after the new version has been released.

3. Appendices

Stonesoft Security Analysis Group's PGP key is available at: ftp://download.stonesoft.com/web/Support/Stonesoft Security Alert.asc

To report or inquire about a security problem with Stonesoft software, contact one or more of the following:

Stonesoft support
Stonesoft Security Analysis Group. Send email to: security-alert@stonesoft.com

Stonesoft, StoneGate and StoneBeat are trademarks or registered trademarks of Stonesoft, Corp. in Finland and other countries. All other company and product names contained herein are property of their respective holders. This advisory may be reproduced and distributed only in its unaltered form and only for non-commercial purposes.