CVE-2017-3135: Combination of DNS64 and RPZ Can Lead to Crash
First published: Wed Feb 08 2017(Updated: )
Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.4-P5, 9.10.5b1, 9.11.0 -> 9.11.0-P2, 9.11.1b1.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| ISC BIND 9 | =9.9.3 | |
| ISC BIND 9 | =9.9.3-s1 | |
| ISC BIND 9 | =9.9.8 | |
| ISC BIND 9 | =9.9.9-p5 | |
| ISC BIND 9 | =9.9.9-s7 | |
| ISC BIND 9 | =9.9.10-beta1 | |
| ISC BIND 9 | =9.10.0 | |
| ISC BIND 9 | =9.10.4-p1 | |
| ISC BIND 9 | =9.10.4-p2 | |
| ISC BIND 9 | =9.10.4-p3 | |
| ISC BIND 9 | =9.10.4-p4 | |
| ISC BIND 9 | =9.10.4-p5 | |
| ISC BIND 9 | =9.10.5-beta1 | |
| ISC BIND 9 | =9.11.0 | |
| ISC BIND 9 | =9.11.0-p1 | |
| ISC BIND 9 | =9.11.0-p2 | |
| ISC BIND 9 | =9.11.1-beta1 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.5 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| NetApp Data ONTAP | ||
| NetApp Element Software | ||
| Debian Linux | =8.0 | |
| Debian Linux | =9.0 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.9-P6 BIND 9 version 9.10.4-P6 BIND 9 version 9.11.0-P3 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.9-S8
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-3135
- https://security-tracker.debian.org/tracker/CVE-2016-8864
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855520
- https://kb.isc.org/article/AA-01453
- http://rhn.redhat.com/errata/RHSA-2017-0276.html
- http://www.securityfocus.com/bid/96150
- http://www.securitytracker.com/id/1037801
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03747en_us
- https://kb.isc.org/docs/aa-01453
- https://security.gentoo.org/glsa/201708-01
- https://security.netapp.com/advisory/ntap-20180926-0005/
- https://www.debian.org/security/2017/dsa-3795
Frequently Asked Questions
What is the severity of CVE-2017-3135?
CVE-2017-3135 has been classified with high severity due to potential assertion failures and NULL pointer dereferencing.
How do I fix CVE-2017-3135?
To address CVE-2017-3135, upgrade to a patched version of BIND, such as 1:9.11.5.P4+dfsg-5.1+deb10u7 or later.
Which versions of BIND are affected by CVE-2017-3135?
CVE-2017-3135 affects BIND versions 9.9.3-S1 through 9.9.9-S7, among others.
Can CVE-2017-3135 lead to service disruption?
Yes, CVE-2017-3135 can cause service interruptions due to assertion failures and inconsistent query processing.
Is there a workaround for CVE-2017-3135 while waiting for a patch?
There are no official workarounds for CVE-2017-3135; upgrading to a secure version is recommended for mitigation.
- collector/debian-bugs
- alias/CVE-2017-3135
- collector/security-tracker-debian
- agent/type
- agent/references
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/isc
- canonical/isc bind 9
- version/isc bind 9/9.9.3
- version/isc bind 9/9.9.3-s1
- version/isc bind 9/9.9.8
- version/isc bind 9/9.9.9-p5
- version/isc bind 9/9.9.9-s7
- version/isc bind 9/9.9.10-beta1
- version/isc bind 9/9.10.0
- version/isc bind 9/9.10.4-p1
- version/isc bind 9/9.10.4-p2
- version/isc bind 9/9.10.4-p3
- version/isc bind 9/9.10.4-p4
- version/isc bind 9/9.10.4-p5
- version/isc bind 9/9.10.5-beta1
- version/isc bind 9/9.11.0
- version/isc bind 9/9.11.0-p1
- version/isc bind 9/9.11.0-p2
- version/isc bind 9/9.11.1-beta1
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.3
- version/red hat enterprise linux server/7.4
- version/red hat enterprise linux server/7.6
- version/red hat enterprise linux server/7.5
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/netapp
- canonical/netapp data ontap
- canonical/netapp element software
- vendor/debian
- canonical/debian linux
- version/debian linux/8.0
- version/debian linux/9.0