CVE-2019-19331
Published: 16 December 2019
knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).
Priority
Status
Package | Release | Status |
---|---|---|
knot-resolver Launchpad, Ubuntu, Debian |
bionic |
Needed
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Not vulnerable
(5.4.4-1)
|
|
kinetic |
Not vulnerable
(5.5.1-5)
|
|
lunar |
Not vulnerable
(5.6.0-1)
|
|
mantic |
Not vulnerable
(5.6.0-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.3.0)
|
|
xenial |
Needed
|
|
Patches: upstream: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/903 upstream: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/899 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |