Security Bulletin: BIND for IBM i is affected by CVE-2020-8622 and CVE-2020-8624

Summary

BIND is used by IBM i. IBM i has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2020-8624
**DESCRIPTION:**ISC BIND could allow a remote authenticated attacker to bypass security restrictions, caused by the failure to properly enforce the update-policy rules of type “subdomain”. By sending a specially-crafted request, an attacker could exploit this vulnerability to update other contents of the zone.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187062 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-8622
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an assertion failure when attempting to verify a truncated response to a TSIG-signed request. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause the server to exit.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187060 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

The issues can be fixed by applying a PTF to IBM i. Releases 7.4 7.3, 7.2 and 7.1 of IBM i are supported and will be fixed.

The IBM i PTF numbers are:
**Release 7.4 – SI74159 ****Release 7.3 – SI74160 ****Release 7.2 – SI74161 **Release 7.1 – SI74204

<https://www.ibm.com/support/fixcentral/&gt;

_Important note: __IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
_

Workarounds and Mitigations

None