{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-50387", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T22:16:46.692Z", "dateReserved": "2023-12-07T00:00:00", "datePublished": "2024-02-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-10T16:14:16.780094"}, "descriptions": [{"lang": "en", "value": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.athene-center.de/aktuelles/key-trap"}, {"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/"}, {"url": "https://kb.isc.org/docs/cve-2023-50387"}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"}, {"url": "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/"}, {"url": "https://news.ycombinator.com/item?id=39367411"}, {"url": "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/"}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/"}, {"url": "https://news.ycombinator.com/item?id=39372384"}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1"}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html"}, {"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387"}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50387"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823"}, {"url": "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf"}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/2"}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/3"}, {"name": "FEDORA-2024-2e26eccfcb", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/"}, {"name": "FEDORA-2024-e24211eff0", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/"}, {"name": "FEDORA-2024-21310568fa", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/"}, {"name": "[debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html"}, {"name": "FEDORA-2024-b0f9656a76", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/"}, {"name": "FEDORA-2024-4e36df9dfd", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/"}, {"name": "FEDORA-2024-499b9be35f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/"}, {"name": "FEDORA-2024-c36c448396", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/"}, {"name": "FEDORA-2024-c967c7d287", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/"}, {"name": "FEDORA-2024-e00eceb11c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/"}, {"name": "FEDORA-2024-fae88b73eb", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0007/"}, {"name": "[debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:16:46.692Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.athene-center.de/aktuelles/key-trap", "tags": ["x_transferred"]}, {"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", "tags": ["x_transferred"]}, {"url": "https://kb.isc.org/docs/cve-2023-50387", "tags": ["x_transferred"]}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", "tags": ["x_transferred"]}, {"url": "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39367411", "tags": ["x_transferred"]}, {"url": "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/", "tags": ["x_transferred"]}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39372384", "tags": ["x_transferred"]}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", "tags": ["x_transferred"]}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", "tags": ["x_transferred"]}, {"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50387", "tags": ["x_transferred"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823", "tags": ["x_transferred"]}, {"url": "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/2"}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/3"}, {"name": "FEDORA-2024-2e26eccfcb", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/"}, {"name": "FEDORA-2024-e24211eff0", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/"}, {"name": "FEDORA-2024-21310568fa", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/"}, {"name": "[debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html"}, {"name": "FEDORA-2024-b0f9656a76", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/"}, {"name": "FEDORA-2024-4e36df9dfd", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/"}, {"name": "FEDORA-2024-499b9be35f", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/"}, {"name": "FEDORA-2024-c36c448396", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/"}, {"name": "FEDORA-2024-c967c7d287", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/"}, {"name": "FEDORA-2024-e00eceb11c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/"}, {"name": "FEDORA-2024-fae88b73eb", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0007/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html"}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "matchCriteriaId": "AF07A81D-12E5-4B1D-BFF9-C8D08C32FF4F", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*", "matchCriteriaId": "75CCACE6-A0EE-4A6F-BD5A-7AA504B02717", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*", "matchCriteriaId": "964796B3-BA45-4180-A8DA-64CF93CED122", "versionEndExcluding": "2.90", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A8328E8-C652-4262-8C00-D89AD8F75CCF", "versionEndExcluding": "5.71", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "5207D316-7DC9-4724-BC48-C8D3EC5087E8", "versionEndExcluding": "4.8.6", "versionStartIncluding": "4.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEE64451-7CB9-45BD-8168-9F48199A9363", "versionEndExcluding": "4.9.3", "versionStartIncluding": "4.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "0526B76D-52BB-4FA1-B692-8EDEC673EAE5", "versionEndExcluding": "5.0.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "F3814976-5223-4615-BA7B-E33083D3EC26", "versionEndIncluding": "9.16.46", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "140CCABA-F134-4CC2-9960-258D6BFF34DD", "versionEndIncluding": "9.18.22", "versionStartIncluding": "9.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "71BAD5BF-8532-4988-A772-6CD7B851E9E2", "versionEndIncluding": "9.19.20", "versionStartIncluding": "9.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C094EEB-BAD6-495B-B1CB-671D31549F15", "versionEndExcluding": "1.19.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records."}, {"lang": "es", "value": "Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s de una o m\u00e1s respuestas DNSSEC cuando hay una zona con muchos registros DNSKEY y RRSIG, tambi\u00e9n conocido como \"KeyTrap\". \" asunto. La especificaci\u00f3n del protocolo implica que un algoritmo debe evaluar todas las combinaciones de registros DNSKEY y RRSIG."}], "id": "CVE-2023-50387", "lastModified": "2024-06-10T17:16:15.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-14T16:15:45.300", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/2"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/3"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-50387"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://kb.isc.org/docs/cve-2023-50387"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=39367411"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=39372384"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240307-0007/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.athene-center.de/aktuelles/key-trap"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.isc.org/blogs/2024-bind-security-release/"}, {"source": "cve@mitre.org", "tags": ["Press/Media Coverage", "Third Party Advisory"], "url": "https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3741", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "bind-32:9.11.4-26.P2.el7_9.16", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3741", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "bind-dyndb-ldap-0:11.1-7.el7_9.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3741", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "dhcp-12:4.2.5-83.el7_9.2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:0965", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "unbound-0:1.16.2-5.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:1335", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dnsmasq-0:2.79-31.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1781", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind9.16-32:9.16.23-0.16.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:1782", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-11.el8_9.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-12T00:00:00Z"}, {"advisory": "RHSA-2024:3271", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-14.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:1782", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-11.el8_9.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-12T00:00:00Z"}, {"advisory": "RHSA-2024:3271", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-14.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2696", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "unbound-0:1.7.3-12.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-06T00:00:00Z"}, {"advisory": "RHSA-2024:2890", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "bind-32:9.11.13-6.el8_2.7", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:2890", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "dhcp-12:4.3.6-40.el8_2.3", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:3929", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "dnsmasq-0:2.79-11.el8_2.3", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:2696", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "unbound-0:1.7.3-12.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-05-06T00:00:00Z"}, {"advisory": "RHSA-2024:2696", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "unbound-0:1.7.3-12.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-05-06T00:00:00Z"}, {"advisory": "RHSA-2024:2587", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "unbound-0:1.7.3-15.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "bind-32:9.11.26-4.el8_4.4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "dhcp-12:4.3.6-44.el8_4.3", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:3877", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "dnsmasq-0:2.79-15.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:2587", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "unbound-0:1.7.3-15.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "bind-32:9.11.26-4.el8_4.4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "dhcp-12:4.3.6-44.el8_4.3", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:3877", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "dnsmasq-0:2.79-15.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:2587", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "unbound-0:1.7.3-15.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "bind-32:9.11.26-4.el8_4.4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "dhcp-12:4.3.6-44.el8_4.3", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:3877", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "dnsmasq-0:2.79-15.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:1545", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "dnsmasq-0:2.79-21.el8_6.5", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1647", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "bind9.16-32:9.16.23-0.7.el8_6.5", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1804", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "unbound-0:1.7.3-17.el8_6.4", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:2720", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "bind-32:9.11.36-3.el8_6.7", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2720", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "dhcp-12:4.3.6-47.el8_6.2", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:0982", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "unbound-0:1.16.2-5.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:1544", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "dnsmasq-0:2.79-26.el8_8.4", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1648", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "bind9.16-32:9.16.23-0.14.el8_8.4", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:2721", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "bind-32:9.11.36-8.el8_8.4", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2721", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "dhcp-12:4.3.6-49.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:0977", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "unbound-0:1.16.2-3.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:1334", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dnsmasq-0:2.85-14.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1789", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-32:9.16.23-14.el9_3.4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:1789", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-dyndb-ldap-0:11.9-8.el9_3.3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:2551", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-32:9.16.23-18.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2551", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-dyndb-ldap-0:11.9-9.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:1543", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "dnsmasq-0:2.85-3.el9_0.1", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1800", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "bind-32:9.16.23-1.el9_0.5", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:1800", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "bind-dyndb-ldap-0:11.9-7.el9_0.1", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:1801", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "unbound-0:1.13.1-13.el9_0.4", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:0981", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "unbound-0:1.16.2-3.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:1522", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "dnsmasq-0:2.85-6.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-03-26T00:00:00Z"}, {"advisory": "RHSA-2024:1803", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "bind-32:9.16.23-11.el9_2.4", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:1803", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "bind-dyndb-ldap-0:11.9-8.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}], "bugzilla": {"description": "bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator", "id": "2263914", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263914"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "Processing specially crafted responses coming from DNSSEC-signed zones can lead to uncontrolled CPU usage, leading to a Denial of Service in the DNSSEC-validating resolver side.\nThis vulnerability applies only for systems where DNSSEC validation is enabled."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-50387", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "dnsmasq", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-50387\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-50387\nhttps://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released\nhttps://kb.isc.org/docs/cve-2023-50387\nhttps://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html"], "statement": "This vulnerability in DNSSEC-validating resolvers is of important severity because it can lead to uncontrolled CPU consumption, resulting in a Denial of Service (DoS). By exploiting this flaw, attackers can send specially crafted DNS responses that cause the resolver to enter a state of excessive resource utilization. This can severely impact the availability and performance of DNS services, affecting not only the targeted resolver but potentially cascading to other dependent systems and services.", "threat_severity": "Important", "upstream_fix": "bind 9.16.48, bind 9.18.24, bind 9.19.21"}