Red Hat Security Advisory: redhat-ds:11 security and bug fix update
Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration. Security Fix(s): * 389-ds-base: Potential denial of service via specially crafted kerberos AS-REQ request (CVE-2024-3657) (BZ#2274401) * 389-ds-base: Authenticated user can cause a server failure while modifying `userPassword` using malformed input (CVE-2024-2199) (BZ#2267976) * 389-ds-base: Denial of service when writing a value larger than 256 chars in log_entry_attr (CVE-2024-1062) (BZ#2261879) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug fix(es): * Directory Server now flushes the entry cache less frequently (BZ#2268177) * The `ns-slapd` binary is now linked with the thread-safe `libldap_r` library, no longer causing segmentation fault (BZ#2264534) Users of Red Hat Directory Server 11 are advised to install these updated packages.
AI Analysis
Technical Summary
This advisory covers three security vulnerabilities in Red Hat Directory Server 11's 389-ds-base component: CVE-2024-3657 allows denial of service through a specially crafted Kerberos AS-REQ request; CVE-2024-2199 enables an authenticated user to cause a server failure by modifying the userPassword attribute with malformed input; CVE-2024-1062 causes denial of service when writing a value larger than 256 characters in the log_entry_attr. The advisory also includes bug fixes for cache flushing frequency and linking the ns-slapd binary with a thread-safe library to prevent segmentation faults. Users are advised to install the updated packages provided by Red Hat.
Potential Impact
Successful exploitation of these vulnerabilities can lead to denial of service conditions causing the directory server to crash or become unresponsive. An authenticated user can also cause a server failure by submitting malformed input when modifying the userPassword attribute. These issues may disrupt directory services relying on Red Hat Directory Server 11.
Mitigation Recommendations
Red Hat has released updated packages for Red Hat Directory Server 11 that address these vulnerabilities and related bugs. Users should apply these official updates as detailed in Red Hat advisory RHSA-2024:4209 and the referenced article https://access.redhat.com/articles/11258. No alternative mitigations are indicated; installing the update is the recommended remediation.
Red Hat Security Advisory: redhat-ds:11 security and bug fix update
Description
Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol (LDAP) server, as well as command-line utilities and Web UI packages for server administration. Security Fix(s): * 389-ds-base: Potential denial of service via specially crafted kerberos AS-REQ request (CVE-2024-3657) (BZ#2274401) * 389-ds-base: Authenticated user can cause a server failure while modifying `userPassword` using malformed input (CVE-2024-2199) (BZ#2267976) * 389-ds-base: Denial of service when writing a value larger than 256 chars in log_entry_attr (CVE-2024-1062) (BZ#2261879) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug fix(es): * Directory Server now flushes the entry cache less frequently (BZ#2268177) * The `ns-slapd` binary is now linked with the thread-safe `libldap_r` library, no longer causing segmentation fault (BZ#2264534) Users of Red Hat Directory Server 11 are advised to install these updated packages.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This advisory covers three security vulnerabilities in Red Hat Directory Server 11's 389-ds-base component: CVE-2024-3657 allows denial of service through a specially crafted Kerberos AS-REQ request; CVE-2024-2199 enables an authenticated user to cause a server failure by modifying the userPassword attribute with malformed input; CVE-2024-1062 causes denial of service when writing a value larger than 256 characters in the log_entry_attr. The advisory also includes bug fixes for cache flushing frequency and linking the ns-slapd binary with a thread-safe library to prevent segmentation faults. Users are advised to install the updated packages provided by Red Hat.
Potential Impact
Successful exploitation of these vulnerabilities can lead to denial of service conditions causing the directory server to crash or become unresponsive. An authenticated user can also cause a server failure by submitting malformed input when modifying the userPassword attribute. These issues may disrupt directory services relying on Red Hat Directory Server 11.
Mitigation Recommendations
Red Hat has released updated packages for Red Hat Directory Server 11 that address these vulnerabilities and related bugs. Users should apply these official updates as detailed in Red Hat advisory RHSA-2024:4209 and the referenced article https://access.redhat.com/articles/11258. No alternative mitigations are indicated; installing the update is the recommended remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2024:4209
- Cve Count
- 3
- Additional Cves
- ["CVE-2024-2199","CVE-2024-3657"]
- Cvss Version
- null
Threat ID: 6a3e805ccef61ccff9700cb8
Added to database: 06/26/2026, 13:36:28 UTC
Last enriched: 06/26/2026, 13:41:18 UTC
Last updated: 06/27/2026, 11:51:10 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.