[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: OpenLDAP 2.4.45 possible denial of service vulnerability?
- To: <hyc@symas.com>, <quanah@symas.com>, <openldap-technical@openldap.org>
- Subject: RE: OpenLDAP 2.4.45 possible denial of service vulnerability?
- From: <Juergen.Sprenger@swisscom.com>
- Date: Mon, 11 Feb 2019 07:43:43 +0000
- Accept-language: en-US, de-CH
- Content-language: en-US
- In-reply-to: <8b8b7321-bc4c-d5ea-04cd-fcc5b95f19de@symas.com>
- Msip_labels: MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Enabled=True; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_SiteId=364e5b87-c1c7-420d-9bee-c35d19b557a1; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Owner=Juergen.Sprenger@swisscom.com; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_SetDate=2019-02-11T07:43:42.1272149Z; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Name=C2 Internal; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Application=Microsoft Azure Information Protection; MSIP_Label_2e1fccfb-80ca-4fe1-a574-1516544edb53_Extended_MSFT_Method=Automatic; Sensitivity=C2 Internal
- References: <88b17ef74a674a3ab355d93abf9d6c93@swisscom.com> <179C58375D6C224407F92BB5@[192.168.1.39]> <d30c8997ed54483f812952ea5cfd4987@swisscom.com> <8b8b7321-bc4c-d5ea-04cd-fcc5b95f19de@symas.com>
- Thread-index: AdS4fbsO93wWUGwITBWlf20mYQhSRQAJWLAAAV6qeUD///RlAP/4dm4g
- Thread-topic: OpenLDAP 2.4.45 possible denial of service vulnerability?
We started with the default of 126 and increased the value to see whether it has an impact on the issue.
The issue occurs also with maxreaders=126. Same with searchstack and toolthreads with default values.
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Mittwoch, 6. Februar 2019 14:32
To: Sprenger Jürgen, INI-ONE-CIS-SDI-HES <Juergen.Sprenger@swisscom.com>; quanah@symas.com; openldap-technical@openldap.org
Subject: Re: OpenLDAP 2.4.45 possible denial of service vulnerability?
Juergen.Sprenger@swisscom.com wrote:
> Hi,
>
> Anyway, I consider this issue a denial of service vulnerability and OpenLDAP 2.4.45 will not be used for production here.
>
> The only major change in configuration was switching from hdb to mdb, so I will have to check whether mdb may be the cause of this issue.
You never answered Quanah's questions about your config. Are you actually running on a server with 4096 CPUs? If not, why is your maxreaders set to 4096?
>
> Regards Juergen
>
> -----Original Message-----
> From: Quanah Gibson-Mount [mailto:quanah@symas.com]
> Sent: Mittwoch, 30. Januar 2019 15:53
> To: Sprenger Jürgen, INI-ONE-CIS-SDI-HES
> <Juergen.Sprenger@swisscom.com>; openldap-technical@openldap.org
> Subject: Re: OpenLDAP 2.4.45 possible denial of service vulnerability?
>
> --On Wednesday, January 30, 2019 9:43 AM +0000 Juergen.Sprenger@swisscom.com wrote:
>
>> Hi,
>>
>> After upgrading to the latest Release (Solaris 11.3 SRU35, OpenLDAP
>> 2.4.45) we are experiencing massive workloads caused by single
>> clients consuming all available threads and CPU-resources.
>
> Solaris 11.4 is out (just to note). And the latest OpenLDAP release
> is
> 2.4.47 (just to note).
>
>> tool-threads 8
>
> A tool-threads setting > 2 is ignored with back-mdb.
>
>> maxreaders 4096
>
> This is an extremely large value (default is 126). Are you sure you need this bumped so high?
>
>> searchstack 64
>
> Similarly here.
>
>> So far we experienced this behavior with clients of Oracle Enterprise
>> Linux 6.x, Redhat Enterprise Linux 6.x and AIX. Service requests are
>> opened at vendors support, but I'd prefer to have an installation
>> which is less vulnerable and more resilient to issues of this kind.
>
> I'd estimate that your ability to get a useful response from either is near zero. If you have an enterprise operation that needs support for OpenLDAP you may want to look at Symas' enterprise OpenLDAP builds (Symas Gold). We provide builds and support for Solaris 11.
>
>> To avoid performance issues loglevel is now "none stats sync" but can
>> be changed for some time to track down the cause.
>
> You could just do "stats sync", not really a reason to leave "none" in the list.
>
> Generally if you hit an issue such as this, you would want to provde a full backtrace of the slapd process from a utility such as GDB.
>
> Warm regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/