Security Bulletin: BIND for IBM i is affected by CVE-2020-8616 and CVE-2020-8617

Summary

BIND is used by IBM i. IBM i has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2020-8617
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by a logic error in code which checks TSIG validity. A remote attacker could exploit this vulnerability to trigger an assertion failure in tsig.c.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182127 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-8616
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by the failure to limit the number of fetches performed when processing referrals. By using specially crafted referrals, a remote attacker could exploit this vulnerability to cause the recursing server to issue a very large number of fetches in an attempt to process the referral.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182126 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

The issues can be fixed by applying a PTF to IBM i. Releases 7.4 7.3, 7.2 and 7.1 of IBM i are supported and will be fixed.

The IBM i PTF numbers are:
**Release 7.4 – SI73482 ****Release 7.3 – SI73483 ****Release 7.2 – SI73484 **Release 7.1 – SI73485

<https://www-945.ibm.com/support/fixcentral/&gt;

_Important note: __IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
_

Workarounds and Mitigations

None