389 Directory Server Unbounded Memory Growth Vulnerability in Content Synchronization Plugin Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in 389 Directory Server versions 11, 12, 13, and in the 389-ds-base package of Red Hat Enterprise Linux 7, 8, and 9. The issue arises in the Content Synchronization persistent search plugin, where unbounded memory growth occurs when an authenticated client halts reading synchronization responses. This can lead to memory exhaustion and server crashes. Additionally, race conditions in the plugin's thread lifecycle may cause crashes during connection teardown or shutdown.

Impact

Exploitation of this vulnerability can cause unbounded memory consumption, leading to memory exhaustion and server crashes. It can also cause connection teardown crashes due to dangling pointer races, and shutdown crashes on weak memory model architectures, according to Red Hat.

Remediation

To address the unbounded queue growth, reduce the SYNC_MAX_CONCURRENT setting from the default of 10. Apply network-level rate limiting on persistent sync search requests, and monitor client connections to terminate those that stall for extended periods. Additionally, set system-level memory limits to prevent uncontrolled memory growth. However, the race condition issues require code-level fixes.