CVE-2017-3137

HIGH

BIND 9.9.9-P6 to 9.11.1rc1 - Reachable Assertion via CNAME/DNAME Ordering

Title source: llm
STIX 2.1

Description

Mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records could lead to a situation in which named would exit with an assertion failure when processing a response in which records occurred in an unusual order. Affects BIND 9.9.9-P6, 9.9.10b1->9.9.10rc1, 9.10.4-P6, 9.10.5b1->9.10.5rc1, 9.11.0-P3, 9.11.1b1->9.11.1rc1, and 9.9.9-S8.

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1095
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201708-01
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038258
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180802-0002/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040195
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1582
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2017/dsa-3854
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1583
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97651
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1105
Vendor Advisory x_refsource_confirm
https://kb.isc.org/docs/aa-01466

Scores

CVSS v3 7.5
EPSS 0.2850
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-617
Status published
Products (35)
debian/debian_linux 8.0
isc/bind 9.9.9 p6 (2 CPE variants)
isc/bind 9.9.10 beta1 (2 CPE variants)
isc/bind 9.10.4 p6
isc/bind 9.10.5 b1 (2 CPE variants)
isc/bind 9.11.0 p3
isc/bind 9.11.1 b1 (2 CPE variants)
netapp/data_ontap_edge
netapp/element_software
netapp/oncommand_balance
... and 25 more
Published Jan 16, 2019
Tracked Since Feb 18, 2026