OpenDJ Denial-of-Service Vulnerability via Alias Loop
Vulnerability
A denial-of-service vulnerability has been identified in OpenDJ versions prior to 4.9.3. This vulnerability causes the server to become unresponsive to all LDAP requests, without crashing or restarting. The issue arises when an alias loop exists in the LDAP database. If an ldapsearch request is made with alias dereferencing set to 'always' on an entry involved in the loop, the server will stop responding to future requests. Fortunately, the server can be restarted without any data loss.
Impact
Exploitation of this vulnerability leads to a complete denial-of-service condition, causing the server to become unresponsive to all LDAP requests. This requires a manual restart of the server, although no data corruption occurs.
Reproduction
To reproduce this vulnerability, first set up an OpenDJ server instance and import a crafted LDAP entry that creates an alias loop. Then, execute an ldapsearch request with alias dereferencing set to 'always' on the entry with the loop. The server will become unresponsive to all future requests until it is restarted.
Remediation
Users can upgrade to OpenDJ version 4.9.3 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.