First published: Mon Nov 18 2019(Updated: )
ISC BIND is vulnerable to a denial of service. By sending TCP-pipelined queries, a remote attacker could exploit this vulnerability to bypass tcp-clients limit and cause the server to consume all available resources and become unresponsive.
Credit: security-officer@isc.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/bind9 | <=1:9.15.5-1<=1:9.11.5.P4+dfsg-1<=1:9.11.5.P4+dfsg-5.1 | 1:9.11.5.P4+dfsg-5.1+deb10u1 1:9.11.14+dfsg-1 1:9.15.6-1 |
IBM Data Risk Manager | <=2.0.6 | |
ISC BIND | >=9.11.7<=9.11.12 | |
ISC BIND | >=9.14.1<=9.14.7 | |
ISC BIND | >=9.15.0<=9.15.5 | |
ISC BIND | =9.11.5-s6 | |
ISC BIND | =9.11.6-p1 | |
ISC BIND | =9.11.6-rc1 | |
ISC BIND | =9.11.12-s1 | |
ISC BIND | =9.12.4-p1 | |
ISC BIND | =9.12.4-p2 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
redhat/bind | <9.11.13 | 9.11.13 |
redhat/bind | <9.14.8 | 9.14.8 |
redhat/bind | <9.15.6 | 9.15.6 |
debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.19-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-6477 is a vulnerability in ISC BIND that allows a remote attacker to launch a denial-of-service attack by sending TCP-pipelined queries.
The vulnerability in ISC BIND occurs when pipelining is enabled, causing each incoming query on a TCP connection to consume more resources than the server can handle.
The affected software includes bind9 (version 1:9.11.5.P4+dfsg-5.1+deb10u7 or later, 1:9.11.5.P4+dfsg-5.1+deb10u9 or later, or 1:9.16.44-1~deb11u1 or later) in Debian, IBM Data Risk Manager (version up to 2.0.6) by IBM, and various versions of bind in Debian, Red Hat, and Fedora.
CVE-2019-6477 has a severity rating of 7.5 (high).
Yes, patches and updates are available for the affected software. For bind9 in Debian, the official Debian repository provides the necessary patches. IBM Data Risk Manager users should apply the recommended patch provided by IBM. Red Hat and Fedora users should check the respective vendor's security advisories for available updates.