csaf_opensuse - opensuse-su-2022:0946-1

OPENSUSE-SU-2022:0946-1

Vulnerability from csaf_opensuse - Published: 2022-03-24 14:19 - Updated: 2022-03-24 14:19

Summary

Security update for bind

Notes

Title of the patch

Security update for bind

Description of the patch

This update for bind fixes the following issues: - CVE-2021-25220: Fixed a DNS cache poisoning vulnerability due to loose caching rules (bsc#1197135).

Patchnames

openSUSE-SLE-15.3-2022-946,openSUSE-SLE-15.4-2022-946

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for bind",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for bind fixes the following issues:\n\n- CVE-2021-25220: Fixed a DNS cache poisoning vulnerability due to loose\n  caching rules (bsc#1197135).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-SLE-15.3-2022-946,openSUSE-SLE-15.4-2022-946",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0946-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2022:0946-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/H45VCAWRRO6SPMMAFDPU45PJLVOMA44Y/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2022:0946-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/H45VCAWRRO6SPMMAFDPU45PJLVOMA44Y/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1197135",
        "url": "https://bugzilla.suse.com/1197135"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-25220 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-25220/"
      }
    ],
    "title": "Security update for bind",
    "tracking": {
      "current_release_date": "2022-03-24T14:19:53Z",
      "generator": {
        "date": "2022-03-24T14:19:53Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2022:0946-1",
      "initial_release_date": "2022-03-24T14:19:53Z",
      "revision_history": [
        {
          "date": "2022-03-24T14:19:53Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-devel-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "bind-devel-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "bind-devel-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libdns1605-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "libdns1605-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "libdns1605-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libirs1601-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "libirs1601-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "libirs1601-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libisc1606-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "libisc1606-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "libisc1606-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "libns1604-32bit-9.16.6-150000.12.60.1.x86_64",
                "product": {
                  "name": "libns1604-32bit-9.16.6-150000.12.60.1.x86_64",
                  "product_id": "libns1604-32bit-9.16.6-150000.12.60.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-devel-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:bind-devel-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "bind-devel-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libdns1605-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:libdns1605-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "libdns1605-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libirs1601-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:libirs1601-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "libirs1601-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libisc1606-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:libisc1606-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "libisc1606-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "libns1604-32bit-9.16.6-150000.12.60.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:libns1604-32bit-9.16.6-150000.12.60.1.x86_64"
        },
        "product_reference": "libns1604-32bit-9.16.6-150000.12.60.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-25220",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-25220"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "BIND 9.11.0 -\u003e 9.11.36 9.12.0 -\u003e 9.16.26 9.17.0 -\u003e 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -\u003e 9.11.36-S1 9.16.8-S1 -\u003e 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:bind-devel-32bit-9.16.6-150000.12.60.1.x86_64",
          "openSUSE Leap 15.3:libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64",
          "openSUSE Leap 15.3:libdns1605-32bit-9.16.6-150000.12.60.1.x86_64",
          "openSUSE Leap 15.3:libirs1601-32bit-9.16.6-150000.12.60.1.x86_64",
          "openSUSE Leap 15.3:libisc1606-32bit-9.16.6-150000.12.60.1.x86_64",
          "openSUSE Leap 15.3:libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64",
          "openSUSE Leap 15.3:libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64",
          "openSUSE Leap 15.3:libns1604-32bit-9.16.6-150000.12.60.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-25220",
          "url": "https://www.suse.com/security/cve/CVE-2021-25220"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1197135 for CVE-2021-25220",
          "url": "https://bugzilla.suse.com/1197135"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:bind-devel-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libdns1605-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libirs1601-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libisc1606-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libns1604-32bit-9.16.6-150000.12.60.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:bind-devel-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libbind9-1600-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libdns1605-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libirs1601-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libisc1606-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libisccc1600-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libisccfg1600-32bit-9.16.6-150000.12.60.1.x86_64",
            "openSUSE Leap 15.3:libns1604-32bit-9.16.6-150000.12.60.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-03-24T14:19:53Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-25220"
    }
  ]
}

CVE-2021-25220 (GCVE-0-2021-25220)

Vulnerability from cvelistv5 – Published: 2022-03-23 12:50 – Updated: 2024-09-16 17:08

Summary

BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

CWE

When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. Some examples of configurations that will be vulnerable are: Resolvers using per zone or global forwarding with forward first (forward first is the default). Resolvers not using global forwarding, but with per-zone forwarding with either forward first (the default) or forward only. Resolvers configured with global forwarding along with zone statements that disable forwarding for part of the DNS namespace. Authoritative-only BIND 9 servers are not vulnerable to this flaw. BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -> 9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.

Assigner

isc

References

URL

Tags

	https://kb.isc.org/v1/docs/cve-2021-25220
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://security.netapp.com/advisory/ntap-2022040…
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://cert-portal.siemens.com/productcert/pdf/s…
	https://security.gentoo.org/glsa/202210-25	vendor-advisory
	https://supportportal.juniper.net/s/article/2022-…

Impacted products

	Vendor	Product	Version
	ISC	BIND	Affected: Open Source Branch 9.11 9.11.0 through versions before 9.11.37 Affected: Development Branch 9.17 BIND 9.17 all version Affected: Open Source Branch 9.12-16 9.12.0 through versions before 9.16.27 Affected: Open Source Branch 9.18 9.18.0 Affected: Supported Preview Branch 9.11-S 9.11.0-S through versions before 9.11.37-S Affected: Supported Preview Branch 9.16-S 9.16.0-S through versions before 9.16.27-S

Credits

ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University and Changgen Zou from Qi An Xin Group Corp. for discovering and reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kb.isc.org/v1/docs/cve-2021-25220"
          },
          {
            "name": "FEDORA-2022-14e36aac0c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYD7US4HZRFUGAJ66ZTHFBYVP5N3OQBY/"
          },
          {
            "name": "FEDORA-2022-042d9c6146",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/API7U5E7SX7BAAVFNW366FFJGD6NZZKV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220408-0001/"
          },
          {
            "name": "FEDORA-2022-a88218de5c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VX3I2U3ICOIEI5Y7OYA6CHOLFMNH3YQ/"
          },
          {
            "name": "FEDORA-2022-05918f0838",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SXT7247QTKNBQ67MNRGZD23ADXU6E5U/"
          },
          {
            "name": "FEDORA-2022-3f293290c3",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DE3UAVCPUMAKG27ZL5YXSP2C3RIOW3JZ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
          },
          {
            "name": "GLSA-202210-25",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202210-25"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-SRX-Series-Cache-poisoning-vulnerability-in-BIND-used-by-DNS-Proxy-CVE-2021-25220?language=en_US"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BIND",
          "vendor": "ISC",
          "versions": [
            {
              "status": "affected",
              "version": "Open Source Branch 9.11  9.11.0 through versions before 9.11.37"
            },
            {
              "status": "affected",
              "version": "Development Branch 9.17  BIND 9.17 all version"
            },
            {
              "status": "affected",
              "version": "Open Source Branch 9.12-16  9.12.0 through versions before 9.16.27"
            },
            {
              "status": "affected",
              "version": "Open Source Branch 9.18 9.18.0"
            },
            {
              "status": "affected",
              "version": "Supported Preview Branch 9.11-S 9.11.0-S through versions before 9.11.37-S"
            },
            {
              "status": "affected",
              "version": "Supported Preview Branch 9.16-S  9.16.0-S through versions before 9.16.27-S"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University and Changgen Zou from Qi An Xin Group Corp. for discovering and reporting this issue."
        }
      ],
      "datePublic": "2022-03-16T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "BIND 9.11.0 -\u003e 9.11.36 9.12.0 -\u003e 9.16.26 9.17.0 -\u003e 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 -\u003e 9.11.36-S1 9.16.8-S1 -\u003e 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL. The cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers. Some examples of configurations that will be vulnerable are:     Resolvers using per zone or global forwarding with forward first (forward first is the default).     Resolvers not using global forwarding, but with per-zone forwarding with either forward first (the default) or forward only.     Resolvers configured with global forwarding along with zone statements that disable forwarding for part of the DNS namespace. Authoritative-only BIND 9 servers are not vulnerable to this flaw. BIND     9.11.0 -\u003e 9.11.36     9.12.0 -\u003e 9.16.26     9.17.0 -\u003e 9.18.0 BIND Supported Preview Editions:     9.11.4-S1 -\u003e 9.11.36-S1     9.16.8-S1 -\u003e 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-23T00:00:00",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "url": "https://kb.isc.org/v1/docs/cve-2021-25220"
        },
        {
          "name": "FEDORA-2022-14e36aac0c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYD7US4HZRFUGAJ66ZTHFBYVP5N3OQBY/"
        },
        {
          "name": "FEDORA-2022-042d9c6146",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/API7U5E7SX7BAAVFNW366FFJGD6NZZKV/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220408-0001/"
        },
        {
          "name": "FEDORA-2022-a88218de5c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VX3I2U3ICOIEI5Y7OYA6CHOLFMNH3YQ/"
        },
        {
          "name": "FEDORA-2022-05918f0838",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SXT7247QTKNBQ67MNRGZD23ADXU6E5U/"
        },
        {
          "name": "FEDORA-2022-3f293290c3",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DE3UAVCPUMAKG27ZL5YXSP2C3RIOW3JZ/"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
        },
        {
          "name": "GLSA-202210-25",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202210-25"
        },
        {
          "url": "https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-SRX-Series-Cache-poisoning-vulnerability-in-BIND-used-by-DNS-Proxy-CVE-2021-25220?language=en_US"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND:\n    BIND 9.11.37\n    BIND 9.16.27\n    BIND 9.18.1\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n    BIND 9.11.37-S1\n    BIND 9.16.27-S1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "DNS forwarders - cache poisoning vulnerability",
      "workarounds": [
        {
          "lang": "en",
          "value": "If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones.\nActive exploits: We are not aware of any active exploits."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2021-25220",
    "datePublished": "2022-03-23T12:50:10.367480Z",
    "dateReserved": "2021-01-15T00:00:00",
    "dateUpdated": "2024-09-16T17:08:54.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2022:0946-1

CVE-2021-25220 (GCVE-0-2021-25220)

Tags

Sightings

Nomenclature