CVE-2023-2828

Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
bind9	25.04 plucky	Fixed 1:9.18.12-1ubuntu2
	24.10 oracular	Fixed 1:9.18.12-1ubuntu2
	24.04 LTS noble	Fixed 1:9.18.12-1ubuntu2
	23.10 mantic	Fixed 1:9.18.12-1ubuntu2
	23.04 lunar	Fixed 1:9.18.12-1ubuntu1.1
	22.10 kinetic	Fixed 1:9.18.12-0ubuntu0.22.10.2
	22.04 LTS jammy	Fixed 1:9.18.12-0ubuntu0.22.04.2
	20.04 LTS focal	Fixed 1:9.16.1-0ubuntu2.15
	18.04 LTS bionic	Fixed 1:9.11.3+dfsg-1ubuntu1.19+esm1 Ubuntu Pro
	16.04 LTS xenial	Fixed 1:9.10.3.dfsg.P4-8ubuntu1.19+esm6 Ubuntu Pro
	14.04 LTS trusty	Fixed 1:9.9.5.dfsg-3ubuntu0.19+esm10 Ubuntu Pro
bind9-libs	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
isc-dhcp	25.04 plucky	Needs evaluation
	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	23.10 mantic	Ignored end of life, was needs-triage
	23.04 lunar	Ignored end of life, was needs-triage
	22.10 kinetic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes

alexmurray

As of isc-dhcp-4.4.3-1, isc-dhcp vendors bind9 libs

mdeslaur

This is unlikely to affect isc-dhcp's use of bind9-libs and the vendored bind9 libs, marking as negligible

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
bind9	Upstream: https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch Upstream: https://downloads.isc.org/isc/bind9/9.18.16/patches/0001-CVE-2023-2828.patch

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Cvss 3 Severity Score