Описание
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic.
This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
A flaw was found in BIND 9. By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections. This issue could significantly impair the resolver's performance and effectively deny legitimate clients access to the DNS resolution service.
Отчет
The bind package shipped by Red Hat by default does not enable DNS-over-HTTPS functionality. The bind-9.11 version used in Red Hat Enterprise Linux 7 and 8 does not have any DNS-over-HTTP/HTTPS/TLS implementation and is therefore not affected. The bind-9.16 version used in Red Hat Enterprise Linux 8 and 9 does not have any DNS-over-HTTP/HTTPS/TLS implementation and is therefore not affected by this vulnerability.
Меры по смягчению последствий
If the feature is not needed, disable DNS-over-HTTPS (DoH) in your bind config. Otherwise, we recommend upgrading to a patched version of bind.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | bind | Affected | ||
| Red Hat Enterprise Linux 6 | bind | Not affected | ||
| Red Hat Enterprise Linux 7 | bind | Not affected | ||
| Red Hat Enterprise Linux 8 | bind | Not affected | ||
| Red Hat Enterprise Linux 8 | bind9.16 | Not affected | ||
| Red Hat Enterprise Linux 9 | bind | Not affected | ||
| Red Hat Enterprise Linux 9 | dhcp | Not affected | ||
| Red Hat Enterprise Linux 9 | bind9.18 | Fixed | RHSA-2025:1670 | 19.02.2025 |
| Red Hat OpenShift Container Platform 4.16 | rhcos-416.94.202502260030 | Fixed | RHSA-2025:1907 | 05.03.2025 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU an ...
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
7.5 High
CVSS3