CVE-2011-1025

Name of the Vulnerable Software and Affected Versions OpenLDAP versions prior to 2.4.24 OpenLDAP versions 2.4.19 OpenLDAP version 2.4.35 and earlier

Description The issue affects the confidentiality, integrity, and availability of protected information. Exploitation of the vulnerabilities can be done remotely. In OpenLDAP 2.4.x before 2.4.24, the bind.cpp in back-ndb does not require authentication for the root Distinguished Name (DN), allowing remote attackers to bypass intended access restrictions via an arbitrary password.

Recommendations For OpenLDAP versions prior to 2.4.24, update to version 2.4.24 or later. For OpenLDAP versions 2.4.19, update to a version later than 2.4.19. For OpenLDAP version 2.4.35 and earlier, update to a version later than 2.4.35. As a temporary workaround, consider restricting access to the back-ndb module until a patch is available.