Bug 2342880 (CVE-2024-12705)

Summary: CVE-2024-12705 bind: bind9: DNS-over-HTTPS implementation suffers from multiple issues under heavy query load
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: vrajput
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in BIND 9. By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections. This issue could significantly impair the resolver's performance and effectively deny legitimate clients access to the DNS resolution service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2342881, 2342882, 2342883, 2342884    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-29 21:28:11 UTC
Description:
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic.

Impact:
By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections. This would significantly impair the resolver's performance and effectively deny legitimate clients access to the DNS resolution service.

Authoritative servers are affected by this vulnerability. Resolvers are affected by this vulnerability.

Versions affected:
9.18.0 -> 9.18.32
9.20.0 -> 9.20.4
9.21.0 -> 9.21.3

(Versions prior to 9.18.27 were not assessed.)

Comment 2 errata-xmlrpc 2025-02-19 08:37:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:1670 https://access.redhat.com/errata/RHSA-2025:1670

Comment 3 errata-xmlrpc 2025-03-05 03:59:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:1907 https://access.redhat.com/errata/RHSA-2025:1907