IBM Lotus Domino buffer overflow vulnerability in LDAP server task

Technote (troubleshooting)


Problem

iDefense contacted IBM Lotus to report a potential denial of service vulnerability with the Lotus Domino LDAP server task.

The iDefense advisory can be accessed from the following link:
http://www.idefense.com/intelligence/vulnerabilities/



Cause

If the LDAP server task is running on the Domino server and a malformed request is submitted to the LDAP server for processing, it may cause a buffer overflow, resulting in a server crash.

Resolving the problem

This issue was reported to Lotus Quality Engineering as SPR# KEMG6UFL2A, and has been fixed in the following Domino releases:

7.0.2 Fix Pack 1 (FP1)

6.5.5 Fix Pack 3 (FP3)

6.5.6

7.0.3

8.0


Attack vector: Remote
Impact: Denial of Service

Assessing this vulnerability using the Common Vulnerability Scoring System (CVSS):
CVSS Base Score: 5
CVSS Temporal Score: 3.9
CVSS Environmental Score: Undefined*
Overall CVSS Score: 3.9

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.

Base Score Metrics:
Related exploit range/Attack Vector: Remote
Attack Complexity: Low
Level of Authentication Needed: Not Required
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
Impact Value Weighting: Weight Availability

Temporal Score Metrics:
Availability of Exploit: Proof of concept code
Type of Fix available: Official fix
Level of verification that vulnerability exists: Confirmed

References:
Complete CVSS Guide:
http://www.first.org/cvss/cvss-guide.html

Online Calculator:
http://nvd.nist.gov/cvss.cfm?calculator



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Domino

Software version:

6.5, 7.0

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1257248

Modified date:

2007-04-26

Translate my page

Machine Translation

Content navigation