The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSLP: buffer overflow

Synthesis of the vulnerability 

An attacker can trigger a buffer overflow of OpenSLP, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, RHEL, ESXi, VMware vSphere Hypervisor.
Severity of this bulletin: 3/4.
Creation date: 06/12/2019.
Références of this threat: CERTFR-2019-AVI-610, CVE-2019-5544, DLA-2025-1, FEDORA-2019-1e5ae33e87, FEDORA-2019-86bceb61b3, RHSA-2019:4240-01, RHSA-2020:0199-01, VIGILANCE-VUL-31083, VMSA-2019-0022.

Description of the vulnerability 

The OpenSLP product offers a web service.

However, if the size of data is greater than the size of the storage array, an overflow occurs.

An attacker can therefore trigger a buffer overflow of OpenSLP, in order to trigger a denial of service, and possibly to run code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability announce impacts software or systems such as Debian, Fedora, RHEL, ESXi, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this cybersecurity threat is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this computer threat bulletin.

Solutions for this threat 

Debian 8: new openslp-dfsg packages.
New packages are available:
  Debian 8: openslp-dfsg 1.2.1-10+deb8u2

Fedora: new openslp packages.
New packages are available:
  Fedora 30: openslp 2.0.0-22.fc30
  Fedora 31: openslp 2.0.0-23.fc31

RHEL 6.10: new openslp packages.
New packages are available:
  RHEL 6.10: openslp 2.0.0-4.el6_10

RHEL 7.7: new openslp packages.
New packages are available:
  RHEL 7.7: openslp 2.0.0-8.el7_7

VMware ESXi: patch for OpenSLP.
A patch is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer security bulletins. The Vigil@nce vulnerability database contains several thousand vulnerabilities.