Bug 1613595 (CVE-2018-5740)
Summary: | CVE-2018-5740 bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | anon.amish, bmcclain, dblechte, dfediuck, eedri, jpopelka, mgoldboi, michal.skrivanek, mruprich, msehnout, pemensik, pzhukov, sbonazzo, security-response-team, sherold, thozza, vonsch, yozone, zdohnal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | bind 9.9.13-P1, bind 9.10.8-P1, bind 9.11.4-P1, bind 9.12.2-P1, bind 9.11.3-S3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A denial of service flaw was discovered in bind versions that include the "deny-answer-aliases" feature. This flaw may allow a remote attacker to trigger an INSIST assert in named leading to termination of the process and a denial of service condition.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:35:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1613976, 1613977, 1613978, 1614040, 1614041, 1614042 | ||
Bug Blocks: | 1613599 |
Description
Sam Fowler
2018-08-08 00:29:07 UTC
Acknowledgments: Name: ISC Upstream: Tony Finch (University of Cambridge) Note that upstream notes version 9.7.0 as the first version affected by this flaw, as that's when deny-answer-aliases feature was added. Mitigation: Disabling the "deny-answer-aliases" configuration option should prevent exploitation. Statement: The "deny-answer-aliases" configuration option is not enabled in default configurations of bind. Upstream states that this option is very rarely used. As such, if customers have not specifically enabled this option in configurations, the risk should be mitigated. Unembargoing due to unembargo from upstream (https://lists.isc.org/pipermail/bind-announce/2018-August/001098.html) External References: https://kb.isc.org/article/AA-01639/74/CVE-2018-5740 Created bind tracking bugs for this issue: Affects: fedora-all [bug 1614040] Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1614041] Red Hat Virtualization only ships client-side / library portions of bind, which do not include this flaw. Upstream patches: https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2571 https://access.redhat.com/errata/RHSA-2018:2571 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2570 https://access.redhat.com/errata/RHSA-2018:2570 |