7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
34.0%
This issue can affect BIND 9 resolvers with stale-answer-enable yes;
that
also make use of the option stale-answer-client-timeout
, configured with
a value greater than zero. If the resolver receives many queries that
require recursion, there will be a corresponding increase in the number of
clients that are waiting for recursion to complete. If there are sufficient
clients already waiting when a new client query is received so that it is
necessary to SERVFAIL the longest waiting client (see BIND 9 ARM
recursive-clients
limit and soft quota), then it is possible for a race
to occur between providing a stale answer to this older client and sending
an early timeout SERVFAIL, which may cause an assertion failure. This issue
affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10,
9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
Author | Note |
---|---|
alexmurray | As of isc-dhcp-4.4.3-1, isc-dhcp vendors bind9 libs |
mdeslaur | This issue was introduced in 9.16.12 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
34.0%