Bug 2162685 (CVE-2023-22617) - CVE-2023-22617 PowerDNS Recursor: unbounded recursion results in program termination
Summary: CVE-2023-22617 PowerDNS Recursor: unbounded recursion results in program term...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2023-22617
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2162686 2162687
Blocks: 2162684
TreeView+ depends on / blocked
 
Reported: 2023-01-20 13:47 UTC by Zack Miele
Modified: 2023-01-23 05:22 UTC (History)
0 users

Fixed In Version: PowerDNS Recursor 4.8.1
Clone Of:
Environment:
Last Closed: 2023-01-23 05:22:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Zack Miele 2023-01-20 13:47:36 UTC 
Hello,

   Today we have released PowerDNS Recursor 4.8.1 due to a high severity
   issue found.

   Please find the full text of the advisory below.

   The [1]changelog is available.

   The [2]tarball ([3]signature) is available from our download [4]server.
   Patches are available at [5]patches. Packages for various distributions
   are available from our [6]repository.

   Note that PowerDNS Recursor 4.5.x and older releases are End of Life.
   Consult the [7]EOL policy for more details.
     __________________________________________________________________

PowerDNS Security Advisory 2023-01: unbounded recursion results in program
termination

     * CVE: CVE-2023-22617
     * Date: 20th of January 2023
     * Affects: PowerDNS Recursor 4.8.0
     * Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1
     * Severity: High
     * Impact: Denial of service
     * Exploit: This problem can be triggered by a remote attacker with
       access to the recursor by querying names from specific
       mis-configured domains
     * Risk of system compromise: None
     * Solution: Upgrade to patched version

   CVSS 3.0 score: 8.2 (High)
   https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/
   S:U/C:N/I:L/A:H/E:H/RL:U/RC:C

   Thanks to applied-privacy.net for reporting this issue and their assistance in diagnosing it.

References

   1. https://docs.powerdns.com/recursor/changelog/4.8.html#change-4.8.1
   2. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2
   3. https://downloads.powerdns.com/releases/pdns-recursor-4.8.1.tar.bz2.sig
   4. https://downloads.powerdns.com/releases/
   5. https://downloads.powerdns.com/patches/2023-01/
   6. https://repo.powerdns.com/
   7. https://docs.powerdns.com/recursor/appendices/EOL.html



-- 

kind regards,
Otto Moerbeek
PowerDNS Developer 


 
Email: otto.moerbeek


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366 
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin 
Chairman of the Board: Richard Seibt 
 
PowerDNS.COM BV, Koninginnegracht 14L, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt, Maxim Letski
-------------------------------------------------------------------------------------
Comment 1 Zack Miele 2023-01-20 13:48:56 UTC 
Created pdns-recursor tracking bugs for this issue:

Affects: epel-all [bug 2162686]
Affects: fedora-all [bug 2162687]
Comment 2 Product Security DevOps Team 2023-01-23 05:22:12 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.