Опубликовано: 22 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 7.7
CVSS3: 6.5
Описание
DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks
Impact
Users using the ValidatingResolver for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.
Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
Ссылки
- https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf
- https://nvd.nist.gov/vuln/detail/CVE-2023-50387
- https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78
- https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf
- https://github.com/advisories/GHSA-8459-gg55-8qjj
Пакеты
Наименование
dnsjava:dnsjava
maven
Затронутые версииВерсия исправления
>= 3.5.0, < 3.6.0
3.6.0
Наименование
org.jitsi:dnssecjava
maven
Затронутые версииВерсия исправления
<= 2.0.0
Отсутствует
7.7 High
CVSS4
6.5 Medium
CVSS3
Дефекты
CWE-770
7.7 High
CVSS4
6.5 Medium
CVSS3
Дефекты
CWE-770