Lucene search

K
f5F5SOL35322517
HistoryNov 03, 2016 - 12:00 a.m.

SOL35322517 - BIND vulnerability CVE-2016-8864

2016-11-0300:00:00
support.f5.com
124

EPSS

0.951

Percentile

99.3%

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

To mitigate this vulnerability, you can disable the recursion option on the BIND configuration if it is not required in your environment. To do so, perform the following procedure.

**Impact of action:**Â This procedure disables the recursion feature in the BIND configuration and restarts the system service that may affect the BIG-IP system responding to DNS queries. F5 recommends performing this procedure during a scheduled maintenance period.

  1. Log in to the Advanced Shell (bash) of the BIG-IP system as the root user.
  2. Check if the system has recursion enabled for the named service by typing the following command:

grep "recursion\ "Â /var/named/config/named.conf

If the output displays “recursion yes,” proceed to step 4.

  1. To check if the system has recursion enabled for the dnscached service, type the following command:

grep "recursion\ "Â /var/dnscached/config/named.conf

If the output displays “recursion yes,” proceed to step 4.

Note: The**/var/dnscached/config/named.conf** configuration file is only valid if the BIG-IP system is provisioned or was previously provisioned with the APM module.

  1. Use an editor of your choice to remove the following lines from the target configuration file:

 recursion yes;
 allow-recursion { <IP-Addresses-ACL> };

If you have more than one file to edit, after evaluating the files in step 2 and step 3, repeat step 4 for the next configuration file.

  1. If you have modified the configuration of the dnscached service in step 4, you must restart theÂdnscached service by typing the following command:

tmsh restart /sys service dnscached

  1. If you have modified the configuration of the named service in step 4, you must restart the**named **service by typing the following command:

tmsh restart /sys service named

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL9957: Creating a custom RSS feed to view new and updated documents
  • SOL4602: Overview of the F5 security vulnerability response policy
  • SOL4918: Overview of the F5 critical issue hotfix policy
  • SOL167: Downloading software and firmware from F5
  • SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
  • SOL10025: Managing BIG-IP product hotfixes (10.x)
  • SOL9502: BIG-IP hotfix matrix
  • SOL6664: Obtaining and installing OPSWAT hotfixes
  • SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems