Описание
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: max_streams, which caps the number of concurrent QUIC streams per connection with a default value of 256; and worker_pool_size, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of 1024. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurren
Ссылки
EPSS
7.5 High
CVSS3
Дефекты
Связанные уязвимости
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concur...
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12 ...
CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification
Уязвимость реализации протокола QUIC DNS-сервера CoreDNS, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3