Advisory ROSA-SA-2023-2245

Software: bind 9.11.26
OS: ROSA Virtualization 2.1

package_evr_string: bind-9.11.26-6.rv3.src.rpm

CVE-ID: CVE-2019-6470
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: There was a bug in a function in one of the ISC BIND libraries that dhcpd used when running in DHCPv6 mode. There was also a bug in dhcpd’s use of this function, according to its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this and other BIND libraries in combinations that have been tested before release and are not known to cause such problems. Some third-party packagers of ISC software have changed the dhcpd source code, BIND source code, or version mapping in ways that may cause a failure. Based on reports available to ISC, the probability of failure is high, and there has been no analysis of how or whether an attacker could manipulate this probability. Affected: builds of versions of dhcpd prior to 4.4.1 when using BIND version 9.11.2 or later, or versions of BIND with certain bug fixes carried over. ISC does not have access to complete version lists for all vulnerable dhcpd repackages.
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update bind command

CVE-ID: CVE-2019-6477
BDU-ID: 2019-04891
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the BIND DNS server is associated with uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update bind command

CVE-ID: CVE-2021-25219
BDU-ID: 2022-00686
CVE-Crit: MEDIUM
CVE-DESC.: A vulnerability in the BIND DNS server is associated with uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update bind command

CVE-ID: CVE-2021-25220
BDU-ID: 2022-05754
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the DNS BIND server is related to flaws in HTTP request processing. Exploitation of the vulnerability allows an attacker acting remotely to impact data integrity
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update bind command

CVE-ID: CVE-2022-2795
BDU-ID: 2022-06124
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the DNS BIND server is related to improper management of internal resources within the application when processing large delegations. Exploitation of the vulnerability could allow an attacker acting remotely to perform a denial of service (DoS) attack
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update bind command

CVE-ID: CVE-2022-38177
BDU-ID: 2022-06120
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the DNSSEC technology implementation of the DNS BIND server is related to incorrect verification of the ECDSA cryptographic signature. Exploitation of the vulnerability could allow a remote attacker to perform a denial of service attack
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update bind command

CVE-ID: CVE-2022-38178
BDU-ID: 2022-06121
CVE-Crit: HIGH
CVE-DESC.: A vulnerability in the DNSSEC technology implementation of the DNS BIND server is related to incorrect verification of the EdDSA cryptographic signature. Exploitation of the vulnerability could allow a remote attacker to perform a denial of service attack
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update bind command

CVE-ID: CVE-2023-2828
BDU-ID: None
CVE-Crit: HIGH
CVE-DESC.: Each named instance configured to act as a recursive resolver maintains a cache database containing responses to queries it has recently sent to authoritative servers. The size limit for this cache database can be configured using the max-cache-size statement in the configuration file; the default is 90% of the total memory available on the host. When the cache size reaches 7/8 of the configured limit, the cache cleanup algorithm starts removing expired and/or recently used RRset from the cache to keep memory utilization below the configured limit. It has been found that the effectiveness of the cache clearing algorithm used in named can be significantly reduced by requesting the recognizer to retrieve specific RRsets in a specific order, effectively allowing the configured max-cache-size limit to be significantly exceeded. .
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update bind command