CVE-2022-27227
First published: Fri Mar 25 2022(Updated: )
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful transfers.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PowerDNS Authoritative Server | <4.4.3 | |
| PowerDNS Authoritative Server | >=4.5.0<4.5.4 | |
| PowerDNS Authoritative Server | >=4.6.0<4.6.1 | |
| PowerDNS Recursor | <4.4.8 | |
| PowerDNS Recursor | >=4.5.0<4.5.8 | |
| PowerDNS Recursor | >=4.6.0<4.6.1 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| debian/pdns | <=4.4.1-1 | 4.7.3-2 4.9.3-1 |
| debian/pdns-recursor | <=4.4.2-3 | 4.8.8-1 5.1.3-1 |
| <4.4.3 | ||
| >=4.5.0<4.5.4 | ||
| >=4.6.0<4.6.1 | ||
| <4.4.8 | ||
| >=4.5.0<4.5.8 | ||
| >=4.6.0<4.6.1 | ||
| =34 | ||
| =35 | ||
| =36 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2022/03/25/1
- https://doc.powerdns.com/authoritative/security-advisories/index.html
- https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html
- https://docs.powerdns.com/recursor/security-advisories/index.html
- https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2022-01.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2QKN56VWXUVFOYGUN75N5IRNK66OHTHT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEABZA46XYEUWMGSY2GYYVHISBVWEHIO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPHOFNI7FKM5NNOVDOWO4TBXFAFICCUE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZJSKICB67SPPEGNXCQLZVSWR6QGCN3KP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2QKN56VWXUVFOYGUN75N5IRNK66OHTHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HEABZA46XYEUWMGSY2GYYVHISBVWEHIO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZJSKICB67SPPEGNXCQLZVSWR6QGCN3KP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IPHOFNI7FKM5NNOVDOWO4TBXFAFICCUE/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27227
- https://nvd.nist.gov/vuln/detail/CVE-2022-27227
- https://launchpad.net/bugs/cve/CVE-2022-27227
- https://security-tracker.debian.org/tracker/CVE-2022-27227
- https://ubuntu.com/security/CVE-2022-27227
- https://github.com/PowerDNS/pdns/commit/ff27c8c8e17bd8093e4668d88865b8eb71039b45
- https://www.openwall.com/lists/oss-security/2022/03/25/1
- https://github.com/PowerDNS/pdns/commit/57312d230d5c01d9aca58cb29ce87e23ccbbefd2
Frequently Asked Questions
What is CVE-2022-27227?
CVE-2022-27227 is a vulnerability in PowerDNS Authoritative Server and PowerDNS Recursor that allows incomplete zone transfers to be handled as successful transfers.
Which software versions are affected by CVE-2022-27227?
PowerDNS Authoritative Server versions before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1, as well as PowerDNS Recursor versions before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1 are affected by CVE-2022-27227.
How severe is CVE-2022-27227?
CVE-2022-27227 has a severity rating of 7.5 (high).
How can I fix CVE-2022-27227?
To fix CVE-2022-27227, update PowerDNS Authoritative Server to version 4.4.3 or later, 4.5.x to version 4.5.4 or later, and 4.6.x to version 4.6.1 or later. For PowerDNS Recursor, update to version 4.4.8 or later for 4.4.x, 4.5.x to version 4.5.8 or later, and 4.6.x to version 4.6.1 or later.
Where can I find more information about CVE-2022-27227?
You can find more information about CVE-2022-27227 at the following references: [link1], [link2], [link3].
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/severity
- agent/first-publish-date
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/references
- collector/launchpad-cve
- source/Launchpad
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- vendor/powerdns
- canonical/powerdns authoritative server
- version/powerdns authoritative server/4.5.0
- version/powerdns authoritative server/4.6.0
- canonical/powerdns recursor
- version/powerdns recursor/4.5.0
- version/powerdns recursor/4.6.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- package-manager/debian