CVE-2014-5353
If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.
Find out more about CVE-2014-5353 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the version of krb5 package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not planned to be addressed in Red Hat Enterprise Linux 5. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
CVSS v2 metrics
| Base Score | 3.5 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:S/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | Single |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (krb5) | RHSA-2015:0439 | 2015-03-05 |
| Red Hat Enterprise Linux 6 (krb5) | RHSA-2015:0794 | 2015-04-09 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EWS 2 | krb5 | Not affected |
| Red Hat JBoss EAP 6 | jbossas | Not affected |
| Red Hat Enterprise Linux 5 | krb5 | Will not fix |