Bug 30558 - 389-ds-base new security issue CVE-2022-1949
Summary: 389-ds-base new security issue CVE-2022-1949
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-06-16 22:52 CEST by David Walser
Modified: 2022-06-24 22:51 CEST (History)
5 users (show)

See Also:
Source RPM: 389-ds-base-1.4.0.26-8.4.mga8.src.rpm
CVE: CVE-2022-1949
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-06-16 22:52:42 CEST 
openSUSE has issued an advisory on June 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X5QRVVCIHOYYKUM4VU2IZ3RYGYI66M2M/

Mageia 8 is also affected.
David Walser 2022-06-16 22:52:53 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2022-06-17 14:17:34 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. (CVE-2022-1949)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1949
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X5QRVVCIHOYYKUM4VU2IZ3RYGYI66M2M/
========================

Updated packages in core/updates_testing:
========================
389-ds-base-1.4.0.26-8.5.mga8
389-ds-base-snmp-1.4.0.26-8.5.mga8
cockpit-389-ds-1.4.0.26-8.5.mga8
lib(64)389-ds-base0-1.4.0.26-8.5.mga8
lib(64)389-ds-base-devel-1.4.0.26-8.5.mga8
lib(64)svrcore0-1.4.0.26-8.5.mga8
lib(64)svrcore-devel-1.4.0.26-8.5.mga8

from SRPM:
389-ds-base-1.4.0.26-8.5.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Assignee: bugsquad => qa-bugs
CVE: (none) => CVE-2022-1949
Status: NEW => ASSIGNED
Source RPM: 389-ds-base-1.4.0.26-13.mga9.src.rpm => 389-ds-base-1.4.0.26-8.4.mga8.src.rpm
Version: Cauldron => 8
CC: (none) => nicolas.salguero

Comment 2 Herman Viaene 2022-06-20 16:14:36 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
Ref bug 22466 for tests
# setup-ds.pl

==============================================================================
This program will set up the 389 Directory Server.

It is recommended that you have "root" privilege to set up the software.
Tips for using this  program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" or the word "back" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: 

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: 

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name

Computer name [mach7.hviaene.thuis]: 

==============================================================================
The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the server,
create this user and group using your native operating
system utilities.

System User [dirsrv]: 
System Group [dirsrv]: 

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: 

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [mach7]: 

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=hviaene, dc=thuis]: 

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 
Your new DS instance 'mach7' was successfully created.
Exiting . . .
Log file is '/tmp/setupcoJCJO.log'

# start-dirsrv
Starting instance "mach7"
There is an ns-slapd running: 10108

# netstat -pant | grep 389 
tcp6       0      0 :::389                  :::*                    LISTEN      10108/ns-slapd      

# ldapsearch -x -h localhost -s base -b ""  "objectclass=*"
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: objectclass=*
# requesting: ALL
#

#
dn:
objectClass: top
defaultnamingcontext: dc=hviaene,dc=thuis
dataversion: 020220620140803
netscapemdsuffix: cn=ldap://dc=mach7,dc=hviaene,dc=thuis:389

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This all looks the sam eas in previous updates, so OK for me.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-06-22 04:12:39 CEST 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-06-23 20:20:09 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-06-24 22:51:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0239.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.