7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
34.0%
Sending a flood of dynamic DNS updates may cause named
to allocate large
amounts of memory. This, in turn, may cause named
to exit due to a lack
of free memory. We are not aware of any cases where this has been
exploited. Memory is allocated prior to the checking of access permissions
(ACLs) and is retained during the processing of a dynamic update from a
client whose access credentials are accepted. Memory allocated to clients
that are not permitted to send updates is released immediately upon
rejection. The scope of this vulnerability is limited therefore to trusted
clients who are permitted to make dynamic zone changes. If a dynamic update
is REFUSED, memory will be released again very quickly. Therefore it is
only likely to be possible to degrade or stop named
by sending a flood of
unaccepted dynamic updates comparable in magnitude to a query flood
intended to achieve the same detrimental outcome. BIND 9.11 and earlier
branches are also affected, but through exhaustion of internal resources
rather than memory constraints. This may reduce performance but should not
be a significant problem for most servers. Therefore we don’t intend to
address this for BIND versions prior to BIND 9.16. This issue affects BIND
9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through
9.19.8, and 9.16.8-S1 through 9.16.36-S1.
Author | Note |
---|---|
alexmurray | As of isc-dhcp-4.4.3-1, isc-dhcp vendors bind9 libs |
mdeslaur | bind 9.11 and earlier will exhaust internal resources before exhausting memory constraints so this CVE is not a significant issue in 9.11 and earlier and will not be fixed by upstream or by Ubuntu. |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
34.0%