csaf_opensuse - opensuse-su-2024:11660-1

OPENSUSE-SU-2024:11660-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

bind-9.16.20-3.1 on GA media

Notes

Title of the patch

bind-9.16.20-3.1 on GA media

Description of the patch

These are all security issues fixed in the bind-9.16.20-3.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11660

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "bind-9.16.20-3.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the bind-9.16.20-3.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11660",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11660-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-25219 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-25219/"
      }
    ],
    "title": "bind-9.16.20-3.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11660-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-9.16.20-3.1.aarch64",
                "product": {
                  "name": "bind-9.16.20-3.1.aarch64",
                  "product_id": "bind-9.16.20-3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "bind-doc-9.16.20-3.1.aarch64",
                "product": {
                  "name": "bind-doc-9.16.20-3.1.aarch64",
                  "product_id": "bind-doc-9.16.20-3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "bind-utils-9.16.20-3.1.aarch64",
                "product": {
                  "name": "bind-utils-9.16.20-3.1.aarch64",
                  "product_id": "bind-utils-9.16.20-3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-bind-9.16.20-3.1.aarch64",
                "product": {
                  "name": "python3-bind-9.16.20-3.1.aarch64",
                  "product_id": "python3-bind-9.16.20-3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-9.16.20-3.1.ppc64le",
                "product": {
                  "name": "bind-9.16.20-3.1.ppc64le",
                  "product_id": "bind-9.16.20-3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "bind-doc-9.16.20-3.1.ppc64le",
                "product": {
                  "name": "bind-doc-9.16.20-3.1.ppc64le",
                  "product_id": "bind-doc-9.16.20-3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "bind-utils-9.16.20-3.1.ppc64le",
                "product": {
                  "name": "bind-utils-9.16.20-3.1.ppc64le",
                  "product_id": "bind-utils-9.16.20-3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python3-bind-9.16.20-3.1.ppc64le",
                "product": {
                  "name": "python3-bind-9.16.20-3.1.ppc64le",
                  "product_id": "python3-bind-9.16.20-3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-9.16.20-3.1.s390x",
                "product": {
                  "name": "bind-9.16.20-3.1.s390x",
                  "product_id": "bind-9.16.20-3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "bind-doc-9.16.20-3.1.s390x",
                "product": {
                  "name": "bind-doc-9.16.20-3.1.s390x",
                  "product_id": "bind-doc-9.16.20-3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "bind-utils-9.16.20-3.1.s390x",
                "product": {
                  "name": "bind-utils-9.16.20-3.1.s390x",
                  "product_id": "bind-utils-9.16.20-3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python3-bind-9.16.20-3.1.s390x",
                "product": {
                  "name": "python3-bind-9.16.20-3.1.s390x",
                  "product_id": "python3-bind-9.16.20-3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-9.16.20-3.1.x86_64",
                "product": {
                  "name": "bind-9.16.20-3.1.x86_64",
                  "product_id": "bind-9.16.20-3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "bind-doc-9.16.20-3.1.x86_64",
                "product": {
                  "name": "bind-doc-9.16.20-3.1.x86_64",
                  "product_id": "bind-doc-9.16.20-3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "bind-utils-9.16.20-3.1.x86_64",
                "product": {
                  "name": "bind-utils-9.16.20-3.1.x86_64",
                  "product_id": "bind-utils-9.16.20-3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python3-bind-9.16.20-3.1.x86_64",
                "product": {
                  "name": "python3-bind-9.16.20-3.1.x86_64",
                  "product_id": "python3-bind-9.16.20-3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-9.16.20-3.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-9.16.20-3.1.aarch64"
        },
        "product_reference": "bind-9.16.20-3.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-9.16.20-3.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-9.16.20-3.1.ppc64le"
        },
        "product_reference": "bind-9.16.20-3.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-9.16.20-3.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-9.16.20-3.1.s390x"
        },
        "product_reference": "bind-9.16.20-3.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-9.16.20-3.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-9.16.20-3.1.x86_64"
        },
        "product_reference": "bind-9.16.20-3.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-doc-9.16.20-3.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.aarch64"
        },
        "product_reference": "bind-doc-9.16.20-3.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-doc-9.16.20-3.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.ppc64le"
        },
        "product_reference": "bind-doc-9.16.20-3.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-doc-9.16.20-3.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.s390x"
        },
        "product_reference": "bind-doc-9.16.20-3.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-doc-9.16.20-3.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.x86_64"
        },
        "product_reference": "bind-doc-9.16.20-3.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-utils-9.16.20-3.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.aarch64"
        },
        "product_reference": "bind-utils-9.16.20-3.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-utils-9.16.20-3.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.ppc64le"
        },
        "product_reference": "bind-utils-9.16.20-3.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-utils-9.16.20-3.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.s390x"
        },
        "product_reference": "bind-utils-9.16.20-3.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-utils-9.16.20-3.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.x86_64"
        },
        "product_reference": "bind-utils-9.16.20-3.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-bind-9.16.20-3.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.aarch64"
        },
        "product_reference": "python3-bind-9.16.20-3.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-bind-9.16.20-3.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.ppc64le"
        },
        "product_reference": "python3-bind-9.16.20-3.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-bind-9.16.20-3.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.s390x"
        },
        "product_reference": "python3-bind-9.16.20-3.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-bind-9.16.20-3.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.x86_64"
        },
        "product_reference": "python3-bind-9.16.20-3.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-25219",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-25219"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In BIND 9.3.0 -\u003e 9.11.35, 9.12.0 -\u003e 9.16.21, and versions 9.9.3-S1 -\u003e 9.11.35-S1 and 9.16.8-S1 -\u003e 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:bind-9.16.20-3.1.aarch64",
          "openSUSE Tumbleweed:bind-9.16.20-3.1.ppc64le",
          "openSUSE Tumbleweed:bind-9.16.20-3.1.s390x",
          "openSUSE Tumbleweed:bind-9.16.20-3.1.x86_64",
          "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.aarch64",
          "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.ppc64le",
          "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.s390x",
          "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.x86_64",
          "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.aarch64",
          "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.ppc64le",
          "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.s390x",
          "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.x86_64",
          "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.aarch64",
          "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.ppc64le",
          "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.s390x",
          "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-25219",
          "url": "https://www.suse.com/security/cve/CVE-2021-25219"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1192146 for CVE-2021-25219",
          "url": "https://bugzilla.suse.com/1192146"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:bind-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:bind-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:bind-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:bind-9.16.20-3.1.x86_64",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.x86_64",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.x86_64",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:bind-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:bind-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:bind-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:bind-9.16.20-3.1.x86_64",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:bind-doc-9.16.20-3.1.x86_64",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:bind-utils-9.16.20-3.1.x86_64",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.aarch64",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.ppc64le",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.s390x",
            "openSUSE Tumbleweed:python3-bind-9.16.20-3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-25219"
    }
  ]
}

CVE-2021-25219 (GCVE-0-2021-25219)

Vulnerability from cvelistv5 – Published: 2021-10-27 21:10 – Updated: 2024-09-16 17:33

Summary

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

Authoritative-only BIND 9 servers are NOT vulnerable to this flaw. The purpose of a resolver's lame cache is to ensure that if an authoritative server responds to a resolver's query in a specific broken way, subsequent client queries for the same <QNAME, QTYPE> tuple do not trigger further queries to the same server for a configurable amount of time. The lame cache is enabled by setting the "lame-ttl" option in named.conf to a value greater than 0. That option is set to "lame-ttl 600;" in the default configuration, which means the lame cache is enabled by default. A successful attack exploiting this flaw causes a named resolver to spend most of its CPU time on managing and checking the lame cache. This results in client queries being responded to with large delays, and increased likelihood of DNS timeouts on client hosts. Affects BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch.

Assigner

isc

References

URL

Tags

	https://kb.isc.org/v1/docs/cve-2021-25219
	https://www.debian.org/security/2021/dsa-4994	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2021…	mailing-list
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://www.oracle.com/security-alerts/cpuapr2022.html
	https://cert-portal.siemens.com/productcert/pdf/s…
	https://security.netapp.com/advisory/ntap-2021111…
	https://security.gentoo.org/glsa/202210-25	vendor-advisory

Impacted products

	Vendor	Product	Version
	ISC	BIND9	Affected: Open Source Branches 9.3 through 9.11 9.3.0 through versions before 9.11.36 Affected: Open Source Branches 9.12 through 9.16 9.12.0 through versions before 9.16.22 Affected: Supported Preview Branches 9.9-S through 9.11-S 9.9.3-S1 through versions before 9.11.36-S1 Affected: Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.22-S1 Affected: Development Branch 9.17 9.17.0 through versions before 9.17.19

Credits

ISC would like to thank Kishore Kumar Kothapalli of Infoblox for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:56:11.060Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kb.isc.org/v1/docs/cve-2021-25219"
          },
          {
            "name": "DSA-4994",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4994"
          },
          {
            "name": "[debian-lts-announce] 20211102 [SECURITY] [DLA 2807-1] bind9 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00001.html"
          },
          {
            "name": "FEDORA-2021-58e7b873b7",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTKC4E3HUOLYN5IA4EBL4VAQSWG2ZVTX/"
          },
          {
            "name": "FEDORA-2021-39b33260b8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGV7SA27CTYLGFJSPUM3V36ZWK7WWDI4/"
          },
          {
            "name": "FEDORA-2021-eb8dab50ba",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EF4NAVRV4H3W4GA3LGGZYUKD3HSJBAVW/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211118-0002/"
          },
          {
            "name": "GLSA-202210-25",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202210-25"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BIND9",
          "vendor": "ISC",
          "versions": [
            {
              "status": "affected",
              "version": "Open Source Branches 9.3 through 9.11 9.3.0 through versions before 9.11.36"
            },
            {
              "status": "affected",
              "version": "Open Source Branches 9.12 through 9.16 9.12.0 through versions before 9.16.22"
            },
            {
              "status": "affected",
              "version": "Supported Preview Branches 9.9-S through 9.11-S 9.9.3-S1 through versions before 9.11.36-S1"
            },
            {
              "status": "affected",
              "version": "Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.22-S1"
            },
            {
              "status": "affected",
              "version": "Development Branch 9.17 9.17.0 through versions before 9.17.19"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Kishore Kumar Kothapalli of Infoblox for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2021-10-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In BIND 9.3.0 -\u003e 9.11.35, 9.12.0 -\u003e 9.16.21, and versions 9.9.3-S1 -\u003e 9.11.35-S1 and 9.16.8-S1 -\u003e 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Authoritative-only BIND 9 servers are NOT vulnerable to this flaw. The purpose of a resolver\u0027s lame cache is to ensure that if an authoritative server responds to a resolver\u0027s query in a specific broken way, subsequent client queries for the same \u003cQNAME, QTYPE\u003e tuple do not trigger further queries to the same server for a configurable amount of time. The lame cache is enabled by setting the \"lame-ttl\" option in named.conf to a value greater than 0. That option is set to \"lame-ttl 600;\" in the default configuration, which means the lame cache is enabled by default. A successful attack exploiting this flaw causes a named resolver to spend most of its CPU time on managing and checking the lame cache. This results in client queries being responded to with large delays, and increased likelihood of DNS timeouts on client hosts. Affects BIND 9.3.0 -\u003e 9.11.35, 9.12.0 -\u003e 9.16.21, and versions 9.9.3-S1 -\u003e 9.11.35-S1 and 9.16.8-S1 -\u003e 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -\u003e 9.17.18 of the BIND 9.17 development branch.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-31T00:00:00",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "url": "https://kb.isc.org/v1/docs/cve-2021-25219"
        },
        {
          "name": "DSA-4994",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4994"
        },
        {
          "name": "[debian-lts-announce] 20211102 [SECURITY] [DLA 2807-1] bind9 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00001.html"
        },
        {
          "name": "FEDORA-2021-58e7b873b7",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTKC4E3HUOLYN5IA4EBL4VAQSWG2ZVTX/"
        },
        {
          "name": "FEDORA-2021-39b33260b8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGV7SA27CTYLGFJSPUM3V36ZWK7WWDI4/"
        },
        {
          "name": "FEDORA-2021-eb8dab50ba",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EF4NAVRV4H3W4GA3LGGZYUKD3HSJBAVW/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211118-0002/"
        },
        {
          "name": "GLSA-202210-25",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202210-25"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND: BIND 9.11.36, BIND 9.16.22, BIND 9.17.19, or for BIND Supported Preview Edition (a special feature preview branch of BIND provided to eligible ISC support customers): BIND 9.11.36-S1, BIND 9.16.22-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Lame cache can be abused to severely degrade resolver performance",
      "workarounds": [
        {
          "lang": "en",
          "value": "Setting \"lame-ttl 0;\" disables the lame cache and prevents the performance issue. Our research and testing indicate that in the current Internet there is almost no downside to disabling the lame cache."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2021-25219",
    "datePublished": "2021-10-27T21:10:10.088929Z",
    "dateReserved": "2021-01-15T00:00:00",
    "dateUpdated": "2024-09-16T17:33:38.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2024:11660-1

CVE-2021-25219 (GCVE-0-2021-25219)

Tags

Sightings

Nomenclature