CVE-2008-3274: Infoleak
First published: Mon Aug 04 2008(Updated: )
IPA contains a flaw in where installations of freipa/RHEIPA exposed the Master Kerberos Password through anonymous queries. The Master Kerberos Password is used to encrypt keys, however this flaw does not lead to individual keys being exposed. By itself this flaw has limited scope, but could be combined with a different flaw which could reveal user credentials.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Enterprise IPA | =1.0.0 | |
| Red Hat FreeIPA | <=1.1.0 | |
| Red Hat FreeIPA | =0.99 | |
| Red Hat FreeIPA | =1.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.freeipa.org/page/News
- http://www.securityfocus.com/bid/31111
- https://bugzilla.redhat.com/show_bug.cgi?id=457835
- http://rhn.redhat.com/errata/RHSA-2008-0860.html
- http://www.freeipa.org/page/Downloads
- http://www.freeipa.org/page/CVE-2008-3274
- http://secunia.com/advisories/31861
- https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00733.html
- https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00743.html
- http://www.securitytracker.com/id?1020850
- http://git.fedorahosted.org/git/freeipa.git/?p=freeipa.git%3Ba=commit%3Bh=9932887f2af38b9701efec27707648c026ec445c
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314591&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314591&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314592&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314592&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314593&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314593&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314594&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314594&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314983&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314983&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314984&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314984&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314985&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314985&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314986&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314986&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314987&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314987&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314988&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314988&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314989&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=314989&action=edit
- https://admin.fedoraproject.org/updates/F8/FEDORA-2008-7987
- https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8003
Frequently Asked Questions
What is the severity of CVE-2008-3274?
CVE-2008-3274 is considered to have a low severity impact due to its limited scope of exposing the Master Kerberos Password without revealing individual keys.
How do I fix CVE-2008-3274?
To mitigate CVE-2008-3274, you should upgrade to a patched version of FreeIPA or Red Hat Enterprise IPA that addresses this vulnerability.
What type of applications are affected by CVE-2008-3274?
CVE-2008-3274 affects versions of Red Hat FreeIPA and Red Hat Enterprise IPA up to 1.1.0 or 1.0.0 respectively.
Does CVE-2008-3274 expose individual keys?
No, CVE-2008-3274 does not lead to the exposure of individual keys, only the Master Kerberos Password.
What is the consequence of not addressing CVE-2008-3274?
Failing to address CVE-2008-3274 leaves the Master Kerberos Password exposed to anonymous queries, which could pose a security risk.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/remedy
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-3274
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/redhat
- canonical/red hat enterprise ipa
- version/red hat enterprise ipa/1.0.0
- canonical/red hat freeipa
- version/red hat freeipa/1.1.0
- version/red hat freeipa/0.99
- version/red hat freeipa/1.0.0