K80533167 : BIND vulnerability CVE-2017-3135

Security Advisory Description

Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1. (CVE-2015-3135)

BIG-IP configurations using DNS64 (the DNS IPv6 to IPv4 option configured in the DNS profile) and Response Policy Zone (RPZ) rewriting (in the BIND configuration) together are affected by this CVE.

Note: The DNS IPv6 to IPv4 option is disabled, by default, in the DNS profile.

Note: RPZ Rewriting is an optional BIND 9.x configuration that allows administrators to create DNS deny lists.

Impact

Remote attackers may be able to cause a BIND denial-of-service (DoS) attack by making a query for an AAAA record.