IBM i Domain Name System (DNS) uses ISC BIND. ISC BIND on IBM i is vulnerable to denial of service attacks due to errors exploitable by remote attacker as described in the vulnerability details section [CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50868]. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.
CVEID:CVE-2023-5517
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by a flaw in query-handling code. By querying RFC 1918 reverse zones, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282905 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-50868
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when preparing an NSEC3 closest encloser proof. By flooding the target resolver with queries, a remote attacker could exploit this vulnerability to cause CPU exhaustion on a DNSSEC-validating resolver.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282901 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-6516
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an out-of-memory condition. By using specific recursive query patterns, a remote attacker could exploit this vulnerability to cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit, leading to a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282902 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-5679
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when enabling both DNS64 and serve-stale. By querying a DNS64-enabled resolver for domain names triggering serve-stale, a remote attacker could exploit this vulnerability to trigger an assertion failure.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-4408
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when parsing large DNS messages. By flooding the target server with queries, a remote attacker could exploit this vulnerability to cause excessive CPU load.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282906 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM i | 7.5 |
IBM i | 7.4 |
IBM i | 7.3 |
IBM i | 7.2 |
The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.
The IBM i PTF number for 5770-SS1 Option 31 contains the fix for the vulnerability.
IBM i Release| 5770-SS1 Option 31
PTF Number| PTF Download Link
—|—|—
7.5| SI85949| <https://www.ibm.com/support/pages/ptf/SI85949>
7.4| SI85950| <https://www.ibm.com/support/pages/ptf/SI85950>
7.3| SI85951| <https://www.ibm.com/support/pages/ptf/SI85951>
7.2| SI85952| <https://www.ibm.com/support/pages/ptf/SI85952>
<https://www.ibm.com/support/fixcentral>
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm i 7.2 preventative service planning | eq | 7.2.0 |