K35322517 : BIND vulnerability CVE-2016-8864

Security Advisory Description

named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before 9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. (CVE-2016-8864)
Impact
When the BIND recursion option is enabled, an attacker may exploit this vulnerability to cause the named process to restart. Additionally, the restarted process does not trigger the BIG-IP system high availability (HA) failover event.
By default, the BIND recursion option is not enabled on BIG-IP DNS or GTM systems. If the BIND recursion option is enabled, BIG-IP DNS or GTM systems are vulnerable.
For BIG-IP APM systems, only the dynamic application tunnel is vulnerable. However, the attacker needs an authenticated application tunnel user and control of a malicious DNS server to exploit this vulnerability. The BIG-IP APM Network Access functionality is not vulnerable to this issue.