CVE-2024-11187
Publication date 29 January 2025
Last updated 6 February 2025
Ubuntu priority
Cvss 3 Severity Score
It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
Status
Package | Ubuntu Release | Status |
---|---|---|
bind9 | 24.10 oracular |
Fixed 1:9.20.0-2ubuntu3.1
|
24.04 LTS noble |
Fixed 1:9.18.30-0ubuntu0.24.04.2
|
|
22.04 LTS jammy |
Fixed 1:9.18.30-0ubuntu0.22.04.2
|
|
20.04 LTS focal |
Fixed 1:9.18.30-0ubuntu0.20.04.2
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Needs evaluation
|
|
bind9-libs | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy |
Needs evaluation
|
|
20.04 LTS focal |
Needs evaluation
|
|
isc-dhcp | 24.10 oracular |
Needs evaluation
|
24.04 LTS noble |
Needs evaluation
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial |
Not affected
|
Notes
alexmurray
As of isc-dhcp-4.4.3-1, isc-dhcp vendors bind9 libs
mdeslaur
in focal and jammy, isc-dhcp uses the bind9-libs package This is unlikely to affect isc-dhcp’s use of bind9-libs and the vendored bind9 libs, marking as negligible
Severity score breakdown
Parameter | Value |
---|---|
Base score |
|
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7241-1
- Bind vulnerabilities
- 29 January 2025