Monday, February 13, 2006

Potential DoS Vulnerability in Domino LDAP Server Task

I had someone forward this to me. I don't recall seeing it in the blogs, but the IBM technote was updated on 2/10/2006:

Potential Denial of Service Vulnerability in Domino LDAP Server Task

A specially crafted bind request sent to the LDAP server port can result in a Lotus Domino server crash. If successfully exploited, this vulnerability allows an unauthenticated remote attacker to crash the LDAP service preventing legitimate usage.

This issue was reported to IBM Lotus by iDEFENSE. The advisory address is as follows:

IDEF 1173: Lotus Domino LDAP Server Bind Command DoS

This issue was reported to IBM Lotus Quality Engineering as SPR# JBUD6FMQST and fixed in Domino 6.5.4 FP2, Domino 6.5.5, and Domino 7.0.1.
Refer to the Upgrade Central site for details on upgrading Notes/Domino.

A workaround for previous releases is to limit access to TCP port 389 on the LDAP server to only allow trusted hosts to connect.

Note: This issue does not affect Domino servers that are not running the LDAP server task.

Now Playing: "12" by Neal Morse

No comments: