Re: OpenLDAP 2.4.45 possible denial of service vulnerability?

[Quanah Gibson-Mount <quanah@symas.com>]

--On Wednesday, January 30, 2019 9:43 AM +0000 
Juergen.Sprenger@swisscom.com wrote:

> Hi,
>
> After upgrading to the latest Release (Solaris 11.3 SRU35, OpenLDAP
> 2.4.45) we are experiencing massive workloads caused by single clients
> consuming all available threads and CPU-resources.

Solaris 11.4 is out (just to note).  And the latest OpenLDAP release is 
2.4.47 (just to note).

> tool-threads 8

A tool-threads setting > 2 is ignored with back-mdb.

> maxreaders      4096

This is an extremely large value (default is 126).  Are you sure you need 
this bumped so high?

> searchstack     64

Similarly here.

> So far we experienced this behavior with clients of Oracle Enterprise
> Linux 6.x, Redhat Enterprise Linux 6.x and AIX. Service requests are
> opened at vendors support, but I'd prefer to have an installation which
> is less vulnerable and more resilient to issues of this kind.

I'd estimate that your ability to get a useful response from either is near 
zero.  If you have an enterprise operation that needs support for OpenLDAP 
you may want to look at Symas' enterprise OpenLDAP builds (Symas Gold).  We 
provide builds and support for Solaris 11.

> To avoid performance issues loglevel is now "none stats sync" but can be
> changed for some time to track down the cause.

You could just do "stats sync", not really a reason to leave "none" in the 
list.

Generally if you hit an issue such as this, you would want to provde a full 
backtrace of the slapd process from a utility such as GDB.

Warm regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>