CVE-2019-13565
First published: Fri Jul 26 2019(Updated: )
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple macOS Catalina | <10.15.2 | 10.15.2 |
| Apple Mojave | ||
| Apple High Sierra | ||
| ubuntu/openldap | <2.4.45+dfsg-1ubuntu1.3 | 2.4.45+dfsg-1ubuntu1.3 |
| ubuntu/openldap | <2.4.47+dfsg-3ubuntu2.1 | 2.4.47+dfsg-3ubuntu2.1 |
| ubuntu/openldap | <2.4.31-1+ | 2.4.31-1+ |
| ubuntu/openldap | <2.4.48+dfsg-1 | 2.4.48+dfsg-1 |
| ubuntu/openldap | <2.4.42+dfsg-2ubuntu3.6 | 2.4.42+dfsg-2ubuntu3.6 |
| debian/openldap | 2.4.47+dfsg-3+deb10u7 2.4.57+dfsg-3+deb11u1 2.5.13+dfsg-5 | |
| Openldap Openldap | >=2.0<=2.4.47 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Debian Debian Linux | =8.0 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 | |
| F5 Traffix Signaling Delivery Controller | =5.0.0 | |
| F5 Traffix Signaling Delivery Controller | =5.1.0 | |
| Apple Mac OS X | >=10.13<10.13.6 | |
| Apple Mac OS X | >=10.14<10.14.6 | |
| Apple Mac OS X | >=10.15<10.15.2 | |
| Apple Mac OS X | =10.13.6 | |
| Apple Mac OS X | =10.13.6 | |
| Apple Mac OS X | =10.13.6-security_update_2018-002 | |
| Apple Mac OS X | =10.13.6-security_update_2018-003 | |
| Apple Mac OS X | =10.13.6-security_update_2019-001 | |
| Apple Mac OS X | =10.13.6-security_update_2019-002 | |
| Apple Mac OS X | =10.13.6-security_update_2019-003 | |
| Apple Mac OS X | =10.13.6-security_update_2019-004 | |
| Apple Mac OS X | =10.13.6-security_update_2019-005 | |
| Apple Mac OS X | =10.13.6-security_update_2019-006 | |
| Apple Mac OS X | =10.14.6 | |
| Apple Mac OS X | =10.14.6-security_update_2019-001 | |
| Oracle Blockchain Platform | <21.1.2 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| Oracle Solaris | =11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/HT210788 (Advisory)
- https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
- https://www.openldap.org/its/index.cgi/?findid=9052
- https://usn.ubuntu.com/4078-1/
- https://lists.debian.org/debian-lts-announce/2019/08/msg00024.html
- https://usn.ubuntu.com/4078-2/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00058.html
- https://support.f5.com/csp/article/K98008862?utm_source=f5support&amp;utm_medium=RSS
- https://support.apple.com/kb/HT210788
- https://seclists.org/bugtraq/2019/Dec/23
- http://seclists.org/fulldisclosure/2019/Dec/26
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://launchpad.net/bugs/cve/CVE-2019-13565
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://support.f5.com/csp/article/K98008862?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K98008862?utm_source=f5support&utm_medium=RSS
- https://openldap.org/its/?findid=9052
- https://security-tracker.debian.org/tracker/CVE-2019-13565
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13565
- https://ubuntu.com/security/notices/USN-4078-1
- https://ubuntu.com/security/notices/USN-4078-2
- https://nvd.nist.gov/vuln/detail/CVE-2019-13565
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=744a46a1acb93798f4e027290191d6a11dd4c18c
- https://ubuntu.com/security/CVE-2019-13565
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2019-8837
- CVE-2019-8853
- CVE-2019-8856
- CVE-2019-8848
- CVE-2019-8834
- CVE-2019-8842
- CVE-2019-8839
- CVE-2019-8830
- CVE-2019-8851
- CVE-2019-8833
- CVE-2019-8828
- CVE-2019-8838
- CVE-2019-8847
- CVE-2019-8852
- CVE-2019-15903
- CVE-2020-9782
- CVE-2012-1164
- CVE-2012-2668
- CVE-2013-4449
- CVE-2015-1545
- CVE-2019-13057
- CVE-2019-13565
- CVE-2019-8832
- CVE-2017-16808
- CVE-2018-10103
- CVE-2018-10105
- CVE-2018-14461
- CVE-2018-14462
- CVE-2018-14463
- CVE-2018-14464
- CVE-2018-14465
- CVE-2018-14466
- CVE-2018-14467
- CVE-2018-14468
- CVE-2018-14469
- CVE-2018-14470
- CVE-2018-14879
- CVE-2018-14880
- CVE-2018-14881
- CVE-2018-14882
- CVE-2018-16227
- CVE-2018-16228
- CVE-2018-16229
- CVE-2018-16230
- CVE-2018-16300
- CVE-2018-16301
- CVE-2018-16451
- CVE-2018-16452
- CVE-2019-15166
- CVE-2019-15167
- CVE-2019-15126
Frequently Asked Questions
What is CVE-2019-13565?
CVE-2019-13565 is a vulnerability in OpenLDAP that has been addressed in version 2.4.28.
How does CVE-2019-13565 affect macOS Catalina?
macOS Catalina version 10.15.2 is affected by CVE-2019-13565, and it is recommended to update to OpenLDAP version 2.4.28 to mitigate this vulnerability.
Is Apple Mojave affected by CVE-2019-13565?
No, Apple Mojave is not affected by CVE-2019-13565.
Is Apple High Sierra affected by CVE-2019-13565?
No, Apple High Sierra is not affected by CVE-2019-13565.
How can I fix CVE-2019-13565 on macOS Catalina?
To fix CVE-2019-13565 on macOS Catalina, update to OpenLDAP version 2.4.28.
Where can I find more information about CVE-2019-13565?
You can find more information about CVE-2019-13565 at the following reference: https://support.apple.com/en-us/HT210788
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/apple-support
- alias/CVE-2012-2668
- alias/CVE-2013-4449
- alias/CVE-2015-1545
- alias/CVE-2019-13057
- alias/CVE-2019-13565
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- agent/remedy
- agent/severity
- agent/description
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- vendor/apple
- canonical/apple macos catalina
- canonical/apple mojave
- canonical/apple high sierra
- package-manager/ubuntu
- package-manager/debian
- vendor/openldap
- canonical/openldap openldap
- version/openldap openldap/2.0
- version/openldap openldap/2.4.47
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1
- vendor/f5
- canonical/f5 traffix signaling delivery controller
- version/f5 traffix signaling delivery controller/5.0.0
- version/f5 traffix signaling delivery controller/5.1.0
- canonical/apple mac os x
- version/apple mac os x/10.13
- version/apple mac os x/10.14
- version/apple mac os x/10.15
- version/apple mac os x/10.13.6
- version/apple mac os x/10.13.6-security_update_2018-002
- version/apple mac os x/10.13.6-security_update_2018-003
- version/apple mac os x/10.13.6-security_update_2019-001
- version/apple mac os x/10.13.6-security_update_2019-002
- version/apple mac os x/10.13.6-security_update_2019-003
- version/apple mac os x/10.13.6-security_update_2019-004
- version/apple mac os x/10.13.6-security_update_2019-005
- version/apple mac os x/10.13.6-security_update_2019-006
- version/apple mac os x/10.14.6
- version/apple mac os x/10.14.6-security_update_2019-001
- vendor/oracle
- canonical/oracle blockchain platform
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- canonical/oracle solaris
- version/oracle solaris/11