{"containers": {"cna": {"affected": [{"product": "BIND 9", "vendor": "ISC", "versions": [{"status": "affected", "version": "9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8"}]}], "credits": [{"lang": "en", "value": "ISC would like to thank Oleg Gorokhov of Yandex for making us aware of this vulnerability."}], "datePublic": "2017-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Servers are at risk if they are configured to use DNS64 and if the option \"break-dnssec yes;\" is in use.", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-20T11:06:37", "orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc"}, "references": [{"name": "RHSA-2017:1095", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1095"}, {"name": "GLSA-201708-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201708-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20180802-0002/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us"}, {"name": "DSA-3854", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-3854"}, {"name": "1038259", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1038259"}, {"name": "97653", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97653"}, {"name": "RHSA-2017:1105", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:1105"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kb.isc.org/docs/aa-01465"}, {"name": "openSUSE-SU-2020:1699", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"name": "openSUSE-SU-2020:1701", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.\n\n BIND 9 version 9.9.9-P8\n BIND 9 version 9.10.4-P8\n BIND 9 version 9.11.0-P5\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n BIND 9 version 9.9.9-S10\n\nNew maintenance releases of BIND are also scheduled which contain the fix for this vulnerability. In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions:\n\n BIND 9 version 9.9.10rc3\n BIND 9 version 9.10.5rc3\n BIND 9 version 9.11.1rc3"}], "source": {"discovery": "UNKNOWN"}, "title": "An error handling synthesized records could cause an assertion failure when using DNS64 with \"break-dnssec yes;\"", "workarounds": [{"lang": "en", "value": "Servers which have configurations which require DNS64 and \"break-dnssec yes;\" should upgrade. Servers which are not using these features in conjunction are not at risk from this defect."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-officer@isc.org", "DATE_PUBLIC": "2017-03-12T00:00:00.000Z", "ID": "CVE-2017-3136", "STATE": "PUBLIC", "TITLE": "An error handling synthesized records could cause an assertion failure when using DNS64 with \"break-dnssec yes;\""}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIND 9", "version": {"version_data": [{"version_value": "9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8"}]}}]}, "vendor_name": "ISC"}]}}, "credit": [{"lang": "eng", "value": "ISC would like to thank Oleg Gorokhov of Yandex for making us aware of this vulnerability."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Servers are at risk if they are configured to use DNS64 and if the option \"break-dnssec yes;\" is in use."}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:1095", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1095"}, {"name": "GLSA-201708-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201708-01"}, {"name": "https://security.netapp.com/advisory/ntap-20180802-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20180802-0002/"}, {"name": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us"}, {"name": "DSA-3854", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-3854"}, {"name": "1038259", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1038259"}, {"name": "97653", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97653"}, {"name": "RHSA-2017:1105", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:1105"}, {"name": "https://kb.isc.org/docs/aa-01465", "refsource": "CONFIRM", "url": "https://kb.isc.org/docs/aa-01465"}, {"name": "openSUSE-SU-2020:1699", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"name": "openSUSE-SU-2020:1701", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}]}, "solution": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads.\n\n BIND 9 version 9.9.9-P8\n BIND 9 version 9.10.4-P8\n BIND 9 version 9.11.0-P5\n\nBIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.\n\n BIND 9 version 9.9.9-S10\n\nNew maintenance releases of BIND are also scheduled which contain the fix for this vulnerability. In addition to the security releases listed above, fixes for this vulnerability are also included in these release candidate versions:\n\n BIND 9 version 9.9.10rc3\n BIND 9 version 9.10.5rc3\n BIND 9 version 9.11.1rc3"}], "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Servers which have configurations which require DNS64 and \"break-dnssec yes;\" should upgrade. Servers which are not using these features in conjunction are not at risk from this defect."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:16:28.169Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:1095", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1095"}, {"name": "GLSA-201708-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201708-01"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20180802-0002/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us"}, {"name": "DSA-3854", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-3854"}, {"name": "1038259", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1038259"}, {"name": "97653", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97653"}, {"name": "RHSA-2017:1105", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:1105"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kb.isc.org/docs/aa-01465"}, {"name": "openSUSE-SU-2020:1699", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"name": "openSUSE-SU-2020:1701", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}]}]}, "cveMetadata": {"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "assignerShortName": "isc", "cveId": "CVE-2017-3136", "datePublished": "2019-01-16T20:00:00Z", "dateReserved": "2016-12-02T00:00:00", "dateUpdated": "2024-09-17T00:51:35.181Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BCD9327-F097-49B8-BEFF-07785EE8BB6D", "versionEndIncluding": "9.8.8", "versionStartIncluding": "9.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "4418EDD7-AC58-48A3-BE65-273C0E8222E3", "versionEndIncluding": "9.9.9", "versionStartIncluding": "9.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1DE78F6-B88E-44A7-BECD-B78B7E9052C1", "versionEndIncluding": "9.10.4", "versionStartIncluding": "9.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.8.0:p1:*:*:*:*:*:*", "matchCriteriaId": "25855A5C-302F-4A82-AEC1-8C4C9CB70362", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.0:p1:*:*:*:*:*:*", "matchCriteriaId": "86C1A668-D648-4E72-876B-E72D341003D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.0:p2:*:*:*:*:*:*", "matchCriteriaId": "0CFD0CE9-FE4D-4FB3-9486-36FA1A4FADF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.0:p3:*:*:*:*:*:*", "matchCriteriaId": "E134536A-0F48-4F54-8399-5EF4C09BFF85", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.0:p4:*:*:*:*:*:*", "matchCriteriaId": "63C9ED44-1207-4BE6-B5BB-56D198DC0C19", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.0:p5:*:*:*:*:*:*", "matchCriteriaId": "561BF14D-8D6A-4DDB-82BB-6B8EBF34C326", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.0:p6:*:*:*:*:*:*", "matchCriteriaId": "931DBFCE-F071-490F-867F-52A150DBD245", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.3:*:*:*:*:*:*:*", "matchCriteriaId": "2A7BE793-7717-4019-8F50-158C309E48B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.3:s1:*:*:*:*:*:*", "matchCriteriaId": "FCC182A9-5989-4A87-A3BA-F1CFAEDC95E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.10:beta1:*:*:*:*:*:*", "matchCriteriaId": "9C8F0163-FF32-44E0-B05C-F89263CD56A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "94C0C9FC-5CCF-4AD7-8D83-7B579102F7E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.4:p1:*:*:*:*:*:*", "matchCriteriaId": "BB2D2132-62E8-4E73-A0BF-4790DAFC5558", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.4:p2:*:*:*:*:*:*", "matchCriteriaId": "E253BD9F-25B8-42E7-BEAB-E843381ED155", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.4:p3:*:*:*:*:*:*", "matchCriteriaId": "6B5E42E5-27C6-4D6F-B7DC-903B10BF2017", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.4:p4:*:*:*:*:*:*", "matchCriteriaId": "7E211374-A4F5-41D4-A89E-E6522E9D0DFB", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.4:p5:*:*:*:*:*:*", "matchCriteriaId": "21CC7BA7-6D75-4561-ACF3-F1F61A0CBA62", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.4:p6:*:*:*:*:*:*", "matchCriteriaId": "70586A2A-AA52-48F5-B2B0-390CA77807E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.5:b1:*:*:*:*:*:*", "matchCriteriaId": "8C5A0370-9490-40CC-84E8-EEE95A6F233B", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "CEC78396-4667-4A45-8DBD-0D0C2AAE1549", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "3160C5ED-75EA-47B2-998E-EDFC46B37DDA", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.0:p1:*:*:*:*:*:*", "matchCriteriaId": "086C327B-DF9F-4D4E-A538-1E29FEDC34C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.0:p2:*:*:*:*:*:*", "matchCriteriaId": "1440B408-76B6-4FA7-899D-E28049A37704", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.0:p3:*:*:*:*:*:*", "matchCriteriaId": "4D50373F-C1C4-4EC9-B94F-854C3444717D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.1:beta1:*:*:*:*:*:*", "matchCriteriaId": "CE6ED392-74B9-487E-83B0-ECAAEEAB3AB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "EEA791E2-27E0-49C5-9823-0C57647C788F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "98381E61-F082-4302-B51F-5648884F998B", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "D99A687E-EAE6-417E-A88E-D0082BC194CD", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B353CE99-D57C-465B-AAB0-73EF581127D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "A8442C20-41F9-47FD-9A12-E724D3A31FD7", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "24C0F4E1-C52C-41E0-9F14-F83ADD5CC7ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:data_ontap_edge:-:*:*:*:*:*:*:*", "matchCriteriaId": "E0C4B1E5-75BF-43AE-BBAC-0DD4124C71ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", "matchCriteriaId": "85DF4B3F-4BBC-42B7-B729-096934523D63", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*", "matchCriteriaId": "7DCBCC5D-C396-47A8-ADF4-D3A2C4377FB1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8."}, {"lang": "es", "value": "Una consulta con un conjunto determinado de caracter\u00edsticas podr\u00eda provocar que un servidor que emplea DNS64 se encuentre con un fallo de aserci\u00f3n y termine. Un atacante podr\u00eda construir deliberadamente una consulta, habilitando una denegaci\u00f3n de servicio (DoS) contra un servidor si est\u00e1 configurado para emplear la caracter\u00edstica DNS64 y se cumplen otras precondiciones. Afecta a BIND desde la versi\u00f3n 9.8.0 hasta la9.8.8-P1, desde la versi\u00f3n 9.9.0 hasta la 9.9.9-P6, desde la versi\u00f3n 9.9.10b1 hasta la 9.9.10rc1, desde la versi\u00f3n 9.10.0 hasta la 9.10.4-P6, desde la versi\u00f3n 9.10.5b1 hasta la 9.10.5rc1, desde la versi\u00f3n 9.11.0 hasta la 9.11.0-P3, desde la versi\u00f3n 9.11.1b1 hasta la 9.11.1rc1 y desde la versi\u00f3n 9.9.3-S1 hasta 9.9.9-S8."}], "id": "CVE-2017-3136", "lastModified": "2020-10-20T12:15:12.720", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-officer@isc.org", "type": "Secondary"}]}, "published": "2019-01-16T20:29:00.313", "references": [{"source": "security-officer@isc.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"source": "security-officer@isc.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97653"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1038259"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1095"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:1105"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us"}, {"source": "security-officer@isc.org", "tags": ["Vendor Advisory"], "url": "https://kb.isc.org/docs/aa-01465"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201708-01"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20180802-0002/"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-3854"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Oleg Gorokhov (Yandex) as the original reporter.", "affected_release": [{"advisory": "RHSA-2017:1105", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "bind-32:9.8.2-0.62.rc1.el6_9.1", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2017-04-20T00:00:00Z"}, {"advisory": "RHSA-2017:1095", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "bind-32:9.9.4-38.el7_3.3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-04-19T00:00:00Z"}], "bugzilla": {"description": "bind: Incorrect error handling causes assertion failure when using DNS64 with \"break-dnssec yes;\"", "id": "1441125", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1441125"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-617", "details": ["A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1, 9.9.0 -> 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.0 -> 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0 -> 9.11.0-P3, 9.11.1b1->9.11.1rc1, 9.9.3-S1 -> 9.9.9-S8.", "A denial of service flaw was found in the way BIND handled query requests when using DNS64 with \"break-dnssec yes\" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request."], "mitigation": {"lang": "en:us", "value": "Servers which have configurations which require DNS64 and \"break-dnssec yes;\" should upgrade. Servers which are not using these features in conjunction are not at risk from this defect."}, "name": "CVE-2017-3136", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "bind97", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2017-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-3136\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-3136\nhttps://kb.isc.org/article/AA-01465"], "threat_severity": "Moderate", "upstream_fix": "bind 9.9.9-P8, bind 9.10.4-P8, bind 9.11.0-P5"}