Amazon Linux AMI update for bind
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2015-8704 CVE-2015-8705 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU31952
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2015-8704
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
apl_42.c in ISC BIND 9.x before 9.9.8-P3, 9.9.x, and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
bind-9.8.2-0.37.rc1.43.amzn1.i686
bind-chroot-9.8.2-0.37.rc1.43.amzn1.i686
bind-devel-9.8.2-0.37.rc1.43.amzn1.i686
bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.i686
bind-utils-9.8.2-0.37.rc1.43.amzn1.i686
bind-libs-9.8.2-0.37.rc1.43.amzn1.i686
bind-sdb-9.8.2-0.37.rc1.43.amzn1.i686
src:
bind-9.8.2-0.37.rc1.43.amzn1.src
x86_64:
bind-sdb-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-libs-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-devel-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-utils-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-chroot-9.8.2-0.37.rc1.43.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2016-641.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU31953
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2015-8705
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit, or daemon crash) or possibly have unspecified other impact via (1) OPT data or (2) an ECS option.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
bind-9.8.2-0.37.rc1.43.amzn1.i686
bind-chroot-9.8.2-0.37.rc1.43.amzn1.i686
bind-devel-9.8.2-0.37.rc1.43.amzn1.i686
bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.i686
bind-utils-9.8.2-0.37.rc1.43.amzn1.i686
bind-libs-9.8.2-0.37.rc1.43.amzn1.i686
bind-sdb-9.8.2-0.37.rc1.43.amzn1.i686
src:
bind-9.8.2-0.37.rc1.43.amzn1.src
x86_64:
bind-sdb-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-libs-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-devel-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-utils-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.x86_64
bind-chroot-9.8.2-0.37.rc1.43.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2016-641.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
