Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-49634: Does CVE-2021-27212 affect Centrify?

Authentication Service ,  

3 March,21 at 04:35 PM

Description:
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

Reference link:
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27212)
 
Question:
Has Centrify been affected by the above vulnerability?  And when will Centrify be releasing a fix for this?

Answer:
Centrify DirectControl agent a.k.a. adclient is not affected, but CentrifyDC-ldapproxy (slapd) is impacted.

Although the CVSS V3 score of 7.5 is relatively high, largely due to the low complexity requirement for the attack, the impact does NOT cause any privilege escalation, info disclosure or tampering; only slapd to crash. CentrifyDC-ldapproxy is normally not exposed to external networks as its main use case is to support the various filers. A slapd crash related to this vulnerability would be the result of a person on the internal network trying to cause a denial of service. Our recommendation is for customers to monitor systems for slapd crashes and investigate, should there be any.

We will upgrade CentrifyDC-ldapproxy (slapd) to openLDAP 2.4.57 with the patch in our upcoming Release 2021 / version 5.8.0, tentatively targeted for July 2021.