{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-50868", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T22:23:43.905Z", "dateReserved": "2023-12-14T00:00:00", "datePublished": "2024-02-14T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-10T16:14:14.129606"}, "descriptions": [{"lang": "en", "value": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/"}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/"}, {"url": "https://datatracker.ietf.org/doc/html/rfc5155"}, {"url": "https://kb.isc.org/docs/cve-2023-50868"}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1"}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html"}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50868"}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826"}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/2"}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/3"}, {"name": "FEDORA-2024-2e26eccfcb", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/"}, {"name": "FEDORA-2024-e24211eff0", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/"}, {"name": "FEDORA-2024-21310568fa", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/"}, {"name": "[debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html"}, {"name": "FEDORA-2024-b0f9656a76", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/"}, {"name": "FEDORA-2024-4e36df9dfd", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/"}, {"name": "FEDORA-2024-499b9be35f", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/"}, {"name": "FEDORA-2024-c36c448396", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/"}, {"name": "FEDORA-2024-c967c7d287", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/"}, {"name": "FEDORA-2024-e00eceb11c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/"}, {"name": "FEDORA-2024-fae88b73eb", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0008/"}, {"name": "[debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:23:43.905Z"}, "title": "CVE Program Container", "references": [{"url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/", "tags": ["x_transferred"]}, {"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html", "tags": ["x_transferred"]}, {"url": "https://www.isc.org/blogs/2024-bind-security-release/", "tags": ["x_transferred"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc5155", "tags": ["x_transferred"]}, {"url": "https://kb.isc.org/docs/cve-2023-50868", "tags": ["x_transferred"]}, {"url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1", "tags": ["x_transferred"]}, {"url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-50868", "tags": ["x_transferred"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/2"}, {"name": "[oss-security] 20240216 Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/02/16/3"}, {"name": "FEDORA-2024-2e26eccfcb", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/"}, {"name": "FEDORA-2024-e24211eff0", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/"}, {"name": "FEDORA-2024-21310568fa", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/"}, {"name": "[debian-lts-announce] 20240221 [SECURITY] [DLA 3736-1] unbound security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html"}, {"name": "FEDORA-2024-b0f9656a76", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/"}, {"name": "FEDORA-2024-4e36df9dfd", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/"}, {"name": "FEDORA-2024-499b9be35f", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/"}, {"name": "FEDORA-2024-c36c448396", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/"}, {"name": "FEDORA-2024-c967c7d287", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/"}, {"name": "FEDORA-2024-e00eceb11c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/"}, {"name": "FEDORA-2024-fae88b73eb", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0008/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240517 [SECURITY] [DLA 3816-1] bind9 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html"}]}]}, "dataVersion": "5.1"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations."}, {"lang": "es", "value": "El aspecto Closest Encloser Proof del protocolo DNS (en RFC 5155 cuando se omite la gu\u00eda RFC 9276) permite a atacantes remotos provocar una denegaci\u00f3n de servicio (consumo de CPU para c\u00e1lculos SHA-1) a trav\u00e9s de respuestas DNSSEC en un ataque de subdominio aleatorio, tambi\u00e9n conocido como \" Problema NSEC3\". La especificaci\u00f3n RFC 5155 implica que un algoritmo debe realizar miles de iteraciones de una funci\u00f3n hash en determinadas situaciones."}], "id": "CVE-2023-50868", "lastModified": "2024-06-10T17:16:16.200", "metrics": {}, "published": "2024-02-14T16:15:45.377", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/02/16/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/02/16/3"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/security/cve/CVE-2023-50868"}, {"source": "cve@mitre.org", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826"}, {"source": "cve@mitre.org", "url": "https://datatracker.ietf.org/doc/html/rfc5155"}, {"source": "cve@mitre.org", "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html"}, {"source": "cve@mitre.org", "url": "https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1"}, {"source": "cve@mitre.org", "url": "https://kb.isc.org/docs/cve-2023-50868"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/"}, {"source": "cve@mitre.org", "url": "https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html"}, {"source": "cve@mitre.org", "url": "https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240307-0008/"}, {"source": "cve@mitre.org", "url": "https://www.isc.org/blogs/2024-bind-security-release/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:3741", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "bind-32:9.11.4-26.P2.el7_9.16", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3741", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "bind-dyndb-ldap-0:11.1-7.el7_9.1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3741", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "dhcp-12:4.2.5-83.el7_9.2", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:0965", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "unbound-0:1.16.2-5.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:1335", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dnsmasq-0:2.79-31.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1781", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind9.16-32:9.16.23-0.16.el8_9.2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:1782", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-11.el8_9.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-12T00:00:00Z"}, {"advisory": "RHSA-2024:3271", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-14.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:1782", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-11.el8_9.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-12T00:00:00Z"}, {"advisory": "RHSA-2024:3271", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-14.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2696", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "unbound-0:1.7.3-12.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-06T00:00:00Z"}, {"advisory": "RHSA-2024:2890", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "bind-32:9.11.13-6.el8_2.7", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:2890", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "dhcp-12:4.3.6-40.el8_2.3", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:3929", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "dnsmasq-0:2.79-11.el8_2.3", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:2696", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "unbound-0:1.7.3-12.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-05-06T00:00:00Z"}, {"advisory": "RHSA-2024:2696", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "unbound-0:1.7.3-12.el8_2.1", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-05-06T00:00:00Z"}, {"advisory": "RHSA-2024:2587", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "unbound-0:1.7.3-15.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "bind-32:9.11.26-4.el8_4.4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "dhcp-12:4.3.6-44.el8_4.3", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:3877", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "dnsmasq-0:2.79-15.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:2587", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "unbound-0:1.7.3-15.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "bind-32:9.11.26-4.el8_4.4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "dhcp-12:4.3.6-44.el8_4.3", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:3877", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "dnsmasq-0:2.79-15.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:2587", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "unbound-0:1.7.3-15.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "bind-32:9.11.26-4.el8_4.4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:2821", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "dhcp-12:4.3.6-44.el8_4.3", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-05-13T00:00:00Z"}, {"advisory": "RHSA-2024:3877", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "dnsmasq-0:2.79-15.el8_4.2", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:1545", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "dnsmasq-0:2.79-21.el8_6.5", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1647", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "bind9.16-32:9.16.23-0.7.el8_6.5", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:1804", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "unbound-0:1.7.3-17.el8_6.4", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:2720", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "bind-32:9.11.36-3.el8_6.7", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2720", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "dhcp-12:4.3.6-47.el8_6.2", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:0982", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "unbound-0:1.16.2-5.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:1544", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "dnsmasq-0:2.79-26.el8_8.4", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1648", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "bind9.16-32:9.16.23-0.14.el8_8.4", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-04-02T00:00:00Z"}, {"advisory": "RHSA-2024:2721", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "bind-32:9.11.36-8.el8_8.4", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2721", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "dhcp-12:4.3.6-49.el8_8.1", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:0977", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "unbound-0:1.16.2-3.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:1334", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dnsmasq-0:2.85-14.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-03-14T00:00:00Z"}, {"advisory": "RHSA-2024:1789", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-32:9.16.23-14.el9_3.4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:1789", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-dyndb-ldap-0:11.9-8.el9_3.3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:2551", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-32:9.16.23-18.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:2551", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-dyndb-ldap-0:11.9-9.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:1543", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "dnsmasq-0:2.85-3.el9_0.1", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1800", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "bind-32:9.16.23-1.el9_0.5", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:1800", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "bind-dyndb-ldap-0:11.9-7.el9_0.1", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:1801", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "unbound-0:1.13.1-13.el9_0.4", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:0981", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "unbound-0:1.16.2-3.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:1522", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "dnsmasq-0:2.85-6.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-03-26T00:00:00Z"}, {"advisory": "RHSA-2024:1803", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "bind-32:9.16.23-11.el9_2.4", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}, {"advisory": "RHSA-2024:1803", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "bind-dyndb-ldap-0:11.9-8.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-04-15T00:00:00Z"}], "bugzilla": {"description": "bind9: Preparing an NSEC3 closest encloser proof can exhaust CPU resources", "id": "2263917", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263917"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "A flaw was found in bind9. By flooding a DNSSEC resolver with responses coming from a DNSEC-signed zone using NSEC3, an attacker can lead the targeted resolver to a CPU exhaustion, further leading to a Denial of Service on the targeted host.\nThis vulnerability applies only for systems where DNSSEC validation is enabled."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-50868", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "dnsmasq", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-50868\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-50868\nhttps://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released\nhttps://kb.isc.org/docs/cve-2023-50868\nhttps://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html"], "statement": "The vulnerability in BIND9 that leads to CPU exhaustion through a flood of DNSSEC responses with NSEC3 signatures is a important severity issue due to its potential to induce a Denial of Service (DoS) condition on affected resolvers. By exploiting this flaw, an attacker can overwhelm a DNSSEC-enabled resolver with computationally intensive tasks, depleting CPU resources and disrupting normal DNS operations. This can result in significant service outages, affecting the resolver's ability to process legitimate DNS queries and thereby compromising network availability and reliability. The impact is exacerbated in high-traffic environments or where DNSSEC validation is extensively employed, making prompt remediation essential to prevent operational disruptions and maintain DNS infrastructure integrity.", "threat_severity": "Important"}