CVE-2019-3883
HIGH389 Directory Server < 1.4.1.2 - Unauthenticated Denial of Service via SSL/TLS Connection Hang
Title source: llmDescription
In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2019/05/msg00008.html
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1896
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3401
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3883
Issue Tracking, Third Party Advisory
https://pagure.io/389-ds-base/issue/50329
Third Party Advisory
https://pagure.io/389-ds-base/pull-request/50331
Scores
CVSS v3
7.5
EPSS
0.0843
EPSS Percentile
94.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-772
Status
published
Products (3)
debian/debian_linux
8.0
fedoraproject/389_directory_server
< 1.4.1.2
redhat/enterprise_linux
6.0
Published
Apr 17, 2019
Tracked Since
Feb 18, 2026