RE: CERT Advisory CA-2001-18, Critical Path directory products ar e vulnerable

["Ogle Ron (Rennes)" <OgleR () thmulti com>]

> -----Original Message-----
> From: aleph1 () securityfocus com [mailto:aleph1 () securityfocus com]
> Sent: Tuesday, July 17, 2001 4:55 PM
> To: bugtraq () securityfocus com
> Subject: CERT Advisory CA-2001-18
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several
> Implementations of the Lightweight Directory Access Protocol (LDAP)
>
>    Original release date: July 16, 2001
>    Last revised: --
>    Source: CERT/CC
>
>    A complete revision history can be found at the end of this file.
>
> Systems Affected
We've just got confirmation that Critical Path's line of LDAP directories
(http://www.cp.net/) are susceptible to the LDAP vulnerabilities in this
CERT announcement.  I am sending out this email to make sure that all
ICL/Peerlogic i500 and InJoin/ GDS administrators are made aware of the
vulnerabilities.  Critical Path has not publicly announced this
vulnerability yet, but I'm sure that hackers/crackers already know.  I am
disappointed in Critical Path for not even testing for these vulnerabilities
until pressure was put on them through resellers and for not public ally
announcing it so that administrators are made aware.

If you are an administrator of one of these products, please contact
Critical Path or your reseller to pressure Critical Path on providing the
patches quickly.  Also, if you have a public ally accessible LDAP server
from Critical Path, I'd block it from the Internet until patches are
installed.

Ron Ogle
(These are mine own opinions and not of my company.)