CVE-2017-3145

HIGH

BIND 9.0.0-9.12.0rc1 Use-After-Free

Title source: llm
STIX 2.1

Description

BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1.

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0102
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0487
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4089
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0488
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0101
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040195
Vendor Advisory x_refsource_confirm
https://kb.isc.org/docs/aa-01542
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102716
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/01/msg00029.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180117-0003/

Scores

CVSS v3 7.5
EPSS 0.0799
EPSS Percentile 92.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-416
Status published
Products (38)
debian/debian_linux 7.0
debian/debian_linux 8.0
debian/debian_linux 9.0
isc/bind 9.9.3 s1
isc/bind 9.9.11 s1
isc/bind 9.10.5 s1
isc/bind 9.10.6 s1
isc/bind 9.12.0 alpha1 (4 CPE variants)
isc/bind 9.4.0 - 9.8.8
juniper/junos 12.1x46-d76
... and 28 more
Published Jan 16, 2019
Tracked Since Feb 18, 2026