In association with heise online

01 November 2006, 20:47

New vulnerabilities in Novell's eDirectory

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Novell's directory access service eDirectory and its web front end iMonitor can under certain circumstances be paralysed by targeted attacks from off the net, security vendor iDefense has reported. It claims that the BerDecodeLoginDataRequest function can lead to an illegal memory access that crashes the server process when presented with manipulated log-in requests. The Tomcat-Server from iMonitor stumbles over TREE parameters longer than 256 bytes in HTTP POST requests. This makes the service inoperable until restarted.

Neither vulnerability can be used to smuggle code, iDefense reports. Novell has confirmed the holes for eDirectory 8.8 and 8.8.1 on Linux and Solaris and in iMonitor 2.5 on all platforms. Older versions may also be affected as well. There are clearly no workarounds as yet, although the software maker is offering Security Services Patch 2.0.3 for eDirectory and a version of iMonitor 2.6 without the error. eDirectory admins should apply the patches as soon as possible.

Please see also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit