CVE-2019-6476
Vulnerability from cvelistv5
Published
2019-10-17 19:17
Modified
2024-09-16 16:58
Severity ?
EPSS score ?
Summary
An error in QNAME minimization code can cause BIND to exit with an assertion failure
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T20:23:20.982Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://kb.isc.org/docs/cve-2019-6476" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20191024-0004/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://support.f5.com/csp/article/K42238532?utm_source=f5support\u0026amp%3Butm_medium=RSS" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "BIND 9", "vendor": "ISC", "versions": [ { "status": "affected", "version": "9.14.0 up to 9.14.6" }, { "status": "affected", "version": "9.15.0 up to 9.15.4" } ] } ], "datePublic": "2019-10-16T00:00:00", "descriptions": [ { "lang": "en", "value": "A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "An attacker who manages to deliberately trigger this condition on a server which is performing recursion can cause named to exit, denying service to clients.", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-11-19T20:06:56", "orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://kb.isc.org/docs/cve-2019-6476" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20191024-0004/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://support.f5.com/csp/article/K42238532?utm_source=f5support\u0026amp%3Butm_medium=RSS" } ], "solutions": [ { "lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND:\n + BIND 9.14.7\n + BIND 9.15.5" } ], "source": { "discovery": "USER" }, "title": "An error in QNAME minimization code can cause BIND to exit with an assertion failure", "workarounds": [ { "lang": "en", "value": "ervers which have QNAME minimization turned on are potentially vulnerable to this defect if they are running an affected version of BIND. The vulnerability can be avoided by disabling QNAME minimization using \"qname-minimization disabled;\" in the global options section of named.conf (Note: the default value for the qname-minimization setting in the 9.14 and 9.15 branches is \"relaxed\". To make use of this workaround it must be explicitly disabled.)" } ], "x_generator": { "engine": "Vulnogram 0.0.8" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-officer@isc.org", "DATE_PUBLIC": "2019-10-16T17:36:53.000Z", "ID": "CVE-2019-6476", "STATE": "PUBLIC", "TITLE": "An error in QNAME minimization code can cause BIND to exit with an assertion failure" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "BIND 9", "version": { "version_data": [ { "version_value": "9.14.0 up to 9.14.6" }, { "version_value": "9.15.0 up to 9.15.4" } ] } } ] }, "vendor_name": "ISC" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4." } ] }, "generator": { "engine": "Vulnogram 0.0.8" }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "An attacker who manages to deliberately trigger this condition on a server which is performing recursion can cause named to exit, denying service to clients." } ] } ] }, "references": { "reference_data": [ { "name": "https://kb.isc.org/docs/cve-2019-6476", "refsource": "CONFIRM", "url": "https://kb.isc.org/docs/cve-2019-6476" }, { "name": "https://security.netapp.com/advisory/ntap-20191024-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20191024-0004/" }, { "name": "https://support.f5.com/csp/article/K42238532?utm_source=f5support\u0026amp;utm_medium=RSS", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K42238532?utm_source=f5support\u0026amp;utm_medium=RSS" } ] }, "solution": [ { "lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND:\n + BIND 9.14.7\n + BIND 9.15.5" } ], "source": { "discovery": "USER" }, "work_around": [ { "lang": "en", "value": "ervers which have QNAME minimization turned on are potentially vulnerable to this defect if they are running an affected version of BIND. The vulnerability can be avoided by disabling QNAME minimization using \"qname-minimization disabled;\" in the global options section of named.conf (Note: the default value for the qname-minimization setting in the 9.14 and 9.15 branches is \"relaxed\". To make use of this workaround it must be explicitly disabled.)" } ] } } }, "cveMetadata": { "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "assignerShortName": "isc", "cveId": "CVE-2019-6476", "datePublished": "2019-10-17T19:17:39.240770Z", "dateReserved": "2019-01-16T00:00:00", "dateUpdated": "2024-09-16T16:58:26.060Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2019-6476\",\"sourceIdentifier\":\"security-officer@isc.org\",\"published\":\"2019-10-17T20:15:12.880\",\"lastModified\":\"2023-11-07T03:13:10.557\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.\"},{\"lang\":\"es\",\"value\":\"Un defecto en el c\u00f3digo agregado para soportar la minimizaci\u00f3n de QNAME puede causar que un nombrado salga con un error de aserci\u00f3n si un reenviador devuelve una referencia en lugar de resolver la consulta. Esto afecta a BIND versiones 9.14.0 hasta 9.14.6 y 9.15.0 hasta 9.15.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"security-officer@isc.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-617\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.14.0\",\"versionEndIncluding\":\"9.14.6\",\"matchCriteriaId\":\"139ED9D5-ED04-479F-B9E2-2E5BB257C5CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.15.0\",\"versionEndIncluding\":\"9.15.4\",\"matchCriteriaId\":\"F910D6A0-1E35-443D-A57F-C4A8951B69F3\"}]}]}],\"references\":[{\"url\":\"https://kb.isc.org/docs/cve-2019-6476\",\"source\":\"security-officer@isc.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20191024-0004/\",\"source\":\"security-officer@isc.org\"},{\"url\":\"https://support.f5.com/csp/article/K42238532?utm_source=f5support\u0026amp%3Butm_medium=RSS\",\"source\":\"security-officer@isc.org\"}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.