A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host. This vulnerability applies only for systems where DNSSEC validation is enabled.

Mitigation

There are no mitigations for this issue that meet Red Hat's secure workaround criteria. Updating the package to the version containing the fix is recommended.

References

blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released

bugzilla.redhat.com/show_bug.cgi?id=2263917

kb.isc.org/docs/cve-2023-50868

nvd.nist.gov/vuln/detail/CVE-2023-50868

www.cve.org/CVERecord?id=CVE-2023-50868

www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html

nvd 1

mscve 1

prion 1

f5 1

cgr 1

alpinelinux 1

cve 1

ibm 1

veracode 1

ubuntucve 1

osv 19

cbl_mariner 1

cvelist 1

nessus 69

debiancve 1

wolfi 1

redhat 15

freebsd 2

amazon 2

openvas 37

almalinux 6

fedora 6

freebsd_advisory 1

oraclelinux 6

debian 5

mageia 2

rocky 3

ubuntu 4

akamaiblog 1

redos 1

cloudlinux 1

slackware 1

cloudfoundry 1

photon 3

nvd

CVE-2023-50868

2024-02-14 16:15:45

mscve

MITRE: CVE-2023-50868 NSEC3 closest encloser proof can exhaust CPU

2024-06-11 07:00:00

prion

Code injection

2024-02-14 16:15:00

K000139084 : DNS vulnerability CVE-2023-50868

2024-03-28 00:00:00

cgr

CVE-2023-50868 vulnerabilities

2024-05-19 03:07:16

alpinelinux

CVE-2023-50868

2024-02-14 16:15:45

cve

CVE-2023-50868

2024-02-14 16:15:45

ibm

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in ISC BIND [CVE-2023-50868]

2024-06-20 18:01:02

veracode

Denial Of Service

2024-02-15 02:59:19

ubuntucve

CVE-2023-50868

2024-02-13 00:00:00

osv

CVE-2023-50868

2024-02-14 16:15:45

Important: dnsmasq security update

2024-03-14 00:00:00

Important: unbound security update

2024-02-26 00:00:00

cbl_mariner

CVE-2023-50868 affecting package unbound for versions less than 1.19.1-1

2024-03-05 17:52:42

cvelist

CVE-2023-50868

2024-02-14 00:00:00

nessus

ISC BIND 9.0.0 < 9.16.48 / 9.9.3-S1 < 9.16.48-S1 / 9.18.0 < 9.18.24 / 9.18.11-S1 < 9.18.24-S1 / 9.19.0 < 9.19.21 Vulnerability (cve-2023-50868)

2024-02-13 00:00:00

CentOS 8 : dnsmasq (CESA-2024:1335)

2024-03-14 00:00:00

Amazon Linux 2 : dnsmasq (ALASDNSMASQ-2024-002)

2024-04-18 00:00:00

debiancve

CVE-2023-50868

2024-02-14 16:15:45

wolfi

CVE-2023-50868 vulnerabilities

2024-06-26 21:08:32

redhat

(RHSA-2024:0982) Important: unbound security update

2024-02-26 09:15:03

(RHSA-2024:0981) Important: unbound security update

2024-02-26 09:13:42

(RHSA-2024:0965) Important: unbound security update

2024-02-26 00:56:26

freebsd

powerdns-recursor -- Multiple Vulnerabilities

2024-02-14 00:00:00

DNSSEC validators -- denial-of-service/CPU exhaustion from KeyTrap and NSEC3 vulnerabilities

2024-02-06 00:00:00

amazon

Important: unbound

2024-02-29 10:03:00

Important: bind

2024-04-24 22:15:00

openvas

Huawei EulerOS: Security Advisory for bind (EulerOS-SA-2024-1561)

2024-05-10 00:00:00

Mageia: Security Advisory (MGASA-2024-0039)

2024-02-19 00:00:00

Fedora: Security Advisory for pdns-recursor (FEDORA-2024-b0f9656a76)

2024-02-23 00:00:00

almalinux

Important: dnsmasq security update

2024-03-14 00:00:00

Important: unbound security update

2024-02-26 00:00:00

Important: unbound security update

2024-02-26 00:00:00

fedora

[SECURITY] Fedora 39 Update: dnsmasq-2.90-1.fc39

2024-02-19 02:29:29

[SECURITY] Fedora 38 Update: dnsmasq-2.90-1.fc38

2024-02-29 01:59:13

[SECURITY] Fedora 38 Update: pdns-recursor-4.8.6-1.fc38

2024-02-23 01:32:18

freebsd_advisory

FreeBSD-SA-24:03.unbound

2024-03-28 00:00:00

oraclelinux

dnsmasq security update

2024-03-15 00:00:00

unbound security update

2024-02-28 00:00:00

unbound security update

2024-02-28 00:00:00

debian

[SECURITY] [DLA 3736-1] unbound security update

2024-02-21 12:20:40

[SECURITY] [DSA 5620-1] unbound security update

2024-02-14 06:49:32

[SECURITY] [DSA 5626-1] pdns-recursor security update

2024-02-18 16:35:24

mageia

Updated dnsmasq packages fix security vulnerabilities

2024-02-18 04:49:05

Updated unbound packages fix security vulnerabilities

2024-02-17 03:55:07

rocky

dnsmasq security update

2024-03-27 04:34:32

bind and dhcp security update

2024-05-06 13:04:07

bind and dhcp security update

2024-06-14 13:59:16

ubuntu

Bind vulnerabilities

2024-04-09 00:00:00

Unbound vulnerabilities

2024-02-28 00:00:00

Dnsmasq vulnerabilities

2024-02-26 00:00:00

akamaiblog

CVE-2023-50387 and CVE-2023-50868 ? DNS Exploit KeyTrap Posed Major Internet Threat

2024-02-15 07:00:00

redos

ROS-20240410-09

2024-04-10 00:00:00

cloudlinux

bind: Fix of 2 CVEs

2024-03-14 17:26:05

slackware

[slackware-security] dnsmasq

2024-02-14 04:22:19

cloudfoundry

USN-6665-1: Unbound vulnerabilities | Cloud Foundry

2024-04-04 00:00:00

photon

Important Photon OS Security Update - PHSA-2024-5.0-0205

2024-02-14 00:00:00

Important Photon OS Security Update - PHSA-2024-3.0-0731

2024-02-28 00:00:00

Important Photon OS Security Update - PHSA-2024-3.0-0726

2024-02-14 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

7.6 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.2%

JSON

Related for RH:CVE-2023-50868