Regularly apply security patches and updates to 389DS and the OS
389-SH-004 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-SH-004 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | SI-2, SI-2(2) |
| DISA SRG | SRG-APP-000456 |
Rationale¶
Unpatched directory servers are directly exposed to publicly disclosed
vulnerabilities in 389-ds-base, the Mozilla NSS cryptographic library, OpenSSL,
and the underlying operating system - all of which receive regular security
updates addressing memory corruption, privilege escalation, authentication bypass,
and cryptographic weaknesses. Once a CVE is published, exploit code frequently
follows within days; LDAP infrastructure is a high-value target because a
compromised directory server yields credentials and access for every system that
trusts it. Delayed patching extends the window between public disclosure and
remediation, directly increasing the probability of exploitation. A defined
patching cadence with automated update detection ensures critical fixes are
applied before attackers can operationalize known vulnerabilities. This control
satisfies the flaw-remediation requirements of NIST SP 800-53 SI-2 and SI-2(2),
and is assessed by DISA SRG-APP-000456 (security patching).
Check¶
Check whether security updates are available for the 389-ds-base package.
dnf check-update 389-ds-base
Remediation¶
Apply available 389-ds-base (and OS) security updates, then restart the instance.
dnf update -y 389-ds-base
dsctl <instance> restart
References¶
Implementation Notes¶
dnf check-update exits with status code 100 when updates are available; this is
expected behavior and should not be treated as a command error in scripts or
automation. Schedule patching within a defined maintenance window to minimize
service disruption, and test updates against a staging instance before applying
to production. On Debian/Ubuntu-based systems, substitute apt for dnf and use
the package name 389-ds instead of 389-ds-base. A restart of the directory
instance is required after applying package updates to load the new binaries.
Consider subscribing to the 389-devel@lists.fedoraproject.org mailing list or
monitoring the upstream release page for advance notice of security releases.