CVE-2018-1337
Description
In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request).
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2018-1337 NameCVE-2018-1337 DescriptionIn Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials…
CVE-2018-1337
| Name | CVE-2018-1337 |
| Description | In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL Filter was setup made it possible for another thread to use the connection before the TLS layer has been established, if the connection has already been used and put back in a pool of connections, leading to leaking any information contained in this request (including the credentials when sending a BIND request). |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache-directory-api (PTS) | bullseye | 1.0.0-2 | vulnerable |
| bookworm | 2.1.2-1 | fixed | |
| forky, sid, trixie | 2.1.2-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| apache-directory-api | source | (unstable) | 2.1.2-1 |
Notes
https://lists.apache.org/thread/lrfz3057jbz6ssyg7scmcrpx46qopcm5
Apply commands
https://lists.apache.org/thread/lrfz3057jbz6ssyg7scmcrpx46qopcm5OS impact
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.1.2-1 |
| sid | Fixed | 2.1.2-1 |
| forky | Fixed | 2.1.2-1 |
| bullseye | Affected | — |
| bookworm | Fixed | 2.1.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.directory.api:apache-ldap-api | <1.0.2 | 1.0.2 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2018-1337
- https://github.com/advisories/GHSA-cfw5-v7cw-69cw
- https://lists.apache.org/thread.html/d66081195e9a02ee7cc20fb243b60467d1419586eed28297d820768f@%3Cdev.directory.apache.org%3E
- https://lists.apache.org/thread.html/r0e645b3f6ca977dc60b7cec231215c59a9471736c2402c1fef5a0616@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r1815fb5b0c345f571c740e7a1b48d7477647edd4ffcf9d5321e69446@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r1a258430d820a90ff9d4558319296cc517ff2252327d7b3546d16749@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r4da40aa50cfdb2158898f2bc6df81feec1d42c6a06db6537d5cc0496@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r55e74532e7f9e84ecfa56b4e0a50a5fe0ba6f7a76880520e4400b0d7@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r56b304fb9960c869995efbb31da3b9b7c6d53ee31f7f7048eb80434b@%3Cdev.kafka.apache.org%3E
- http://www.securityfocus.com/bid/104744
- https://security-tracker.debian.org/tracker/CVE-2018-1337
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.