CVE-2019-6477
First published: Mon Nov 18 2019(Updated: )
ISC BIND is vulnerable to a denial of service. By sending TCP-pipelined queries, a remote attacker could exploit this vulnerability to bypass tcp-clients limit and cause the server to consume all available resources and become unresponsive.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/bind9 | <=1:9.15.5-1<=1:9.11.5.P4+dfsg-1<=1:9.11.5.P4+dfsg-5.1 | 1:9.11.5.P4+dfsg-5.1+deb10u1 1:9.11.14+dfsg-1 1:9.15.6-1 |
| IBM Data Risk Manager | <=2.0.6 | |
| ISC BIND | >=9.11.7<=9.11.12 | |
| ISC BIND | >=9.14.1<=9.14.7 | |
| ISC BIND | >=9.15.0<=9.15.5 | |
| ISC BIND | =9.11.5-s6 | |
| ISC BIND | =9.11.6-p1 | |
| ISC BIND | =9.11.6-rc1 | |
| ISC BIND | =9.11.12-s1 | |
| ISC BIND | =9.12.4-p1 | |
| ISC BIND | =9.12.4-p2 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| redhat/bind | <9.11.13 | 9.11.13 |
| redhat/bind | <9.14.8 | 9.14.8 |
| redhat/bind | <9.15.6 | 9.15.6 |
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.19-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2019-6477
- https://security-tracker.debian.org/tracker/CVE-2018-5743
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6477
- https://kb.isc.org/docs/cve-2019-6477
- https://security-tracker.debian.org/tracker/CVE-2020-8616
- https://security-tracker.debian.org/tracker/CVE-2020-8617
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945171
- https://exchange.xforce.ibmcloud.com/vulnerabilities/172012
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3DEMNZMKR57VQJCG5ZN55ZGTQRL2TFQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XGURMGQHX45KR4QDRCSUQHODUFOGNGAN/
- https://support.f5.com/csp/article/K15840535?utm_source=f5support&utm_medium=RSS
- https://www.debian.org/security/2020/dsa-4689
- https://www.synology.com/security/advisory/Synology_SA_19_39
- https://access.redhat.com/security/cve/CVE-2018-5743
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1637475&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1637475&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1774827
- https://access.redhat.com/errata/RHSA-2020:1061
- https://access.redhat.com/security/cve/cve-2019-6477
- https://access.redhat.com/errata/RHSA-2020:1845
- https://bugzilla.redhat.com/show_bug.cgi?id=1773617
Frequently Asked Questions
What is CVE-2019-6477?
CVE-2019-6477 is a vulnerability in ISC BIND that allows a remote attacker to launch a denial-of-service attack by sending TCP-pipelined queries.
How does the vulnerability in ISC BIND work?
The vulnerability in ISC BIND occurs when pipelining is enabled, causing each incoming query on a TCP connection to consume more resources than the server can handle.
Which software and versions are affected by CVE-2019-6477?
The affected software includes bind9 (version 1:9.11.5.P4+dfsg-5.1+deb10u7 or later, 1:9.11.5.P4+dfsg-5.1+deb10u9 or later, or 1:9.16.44-1~deb11u1 or later) in Debian, IBM Data Risk Manager (version up to 2.0.6) by IBM, and various versions of bind in Debian, Red Hat, and Fedora.
How severe is CVE-2019-6477?
CVE-2019-6477 has a severity rating of 7.5 (high).
Is there a fix available for CVE-2019-6477?
Yes, patches and updates are available for the affected software. For bind9 in Debian, the official Debian repository provides the necessary patches. IBM Data Risk Manager users should apply the recommended patch provided by IBM. Red Hat and Fedora users should check the respective vendor's security advisories for available updates.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/debian-bugs
- alias/CVE-2019-6477
- collector/ibm-support
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/security-tracker-debian
- package-manager/debian
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6
- vendor/isc
- canonical/isc bind
- version/isc bind/9.11.7
- version/isc bind/9.11.12
- version/isc bind/9.14.1
- version/isc bind/9.14.7
- version/isc bind/9.15.0
- version/isc bind/9.15.5
- version/isc bind/9.11.5-s6
- version/isc bind/9.11.6-p1
- version/isc bind/9.11.6-rc1
- version/isc bind/9.11.12-s1
- version/isc bind/9.12.4-p1
- version/isc bind/9.12.4-p2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- package-manager/redhat