openEuler 20.03 LTS SP4 update for bind

Published: 2024-08-09

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-1737 CVE-2024-1975
CWE-ID	CWE-399 CWE-400
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	openEuler Operating systems & Components / Operating system python3-bind Operating systems & Components / Operating system package or component bind-utils Operating systems & Components / Operating system package or component bind-pkcs11-devel Operating systems & Components / Operating system package or component bind-pkcs11 Operating systems & Components / Operating system package or component bind-libs-lite Operating systems & Components / Operating system package or component bind-libs Operating systems & Components / Operating system package or component bind-export-libs Operating systems & Components / Operating system package or component bind-export-devel Operating systems & Components / Operating system package or component bind-devel Operating systems & Components / Operating system package or component bind-debugsource Operating systems & Components / Operating system package or component bind-debuginfo Operating systems & Components / Operating system package or component bind-chroot Operating systems & Components / Operating system package or component bind Operating systems & Components / Operating system package or component
Vendor	openEuler

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU94710

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-1737

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a very large number of RRs. Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP4

python3-bind: before 9.11.21-19

bind-utils: before 9.11.21-19

bind-pkcs11-devel: before 9.11.21-19

bind-pkcs11: before 9.11.21-19

bind-libs-lite: before 9.11.21-19

bind-libs: before 9.11.21-19

bind-export-libs: before 9.11.21-19

bind-export-devel: before 9.11.21-19

bind-devel: before 9.11.21-19

bind-debugsource: before 9.11.21-19

bind-debuginfo: before 9.11.21-19

bind-chroot: before 9.11.21-19

bind: before 9.11.21-19

CPE2.3

External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1972

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU94711