{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-4236","assignerOrgId":"404fd4d2-a609-4245-b543-2c944a302a22","state":"PUBLISHED","assignerShortName":"isc","dateReserved":"2023-08-08T10:23:50.680Z","datePublished":"2023-09-20T12:32:16.631Z","dateUpdated":"2025-02-13T17:09:18.327Z"},"containers":{"cna":{"providerMetadata":{"orgId":"404fd4d2-a609-4245-b543-2c944a302a22","shortName":"isc","dateUpdated":"2023-11-03T20:06:12.271Z"},"title":"named may terminate unexpectedly under high DNS-over-TLS query load","datePublic":"2023-09-20T00:00:00.000Z","affected":[{"vendor":"ISC","product":"BIND 9","versions":[{"version":"9.18.0","lessThanOrEqual":"9.18.18","status":"affected","versionType":"custom"},{"version":"9.18.11-S1","lessThanOrEqual":"9.18.18-S1","status":"affected","versionType":"custom"}],"defaultStatus":"unaffected"}],"metrics":[{"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH"}}],"descriptions":[{"lang":"en","value":"A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.\nThis issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1."}],"impacts":[{"descriptions":[{"lang":"en","value":"A `named` instance vulnerable to this flaw may terminate unexpectedly when subjected to significant DNS-over-TLS query load.\n\nThis flaw does not affect DNS-over-HTTPS code, as that uses a different TLS implementation."}]}],"workarounds":[{"lang":"en","value":"Disabling listening for DNS-over-TLS connections (by removing `listen-on ... tls ... { ... };` statements from the configuration) prevents the affected code paths from being taken, rendering exploitation impossible. However, there is no workaround for this flaw if DNS-over-TLS support is required."}],"exploits":[{"lang":"en","value":"We are not aware of any active exploits."}],"solutions":[{"lang":"en","value":"Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.19 or 9.18.19-S1."}],"credits":[{"lang":"en","value":"ISC would like to thank Robert Story from the USC/ISI DNS root server operations team for bringing this vulnerability to our attention."}],"references":[{"url":"https://kb.isc.org/docs/cve-2023-4236","name":"CVE-2023-4236","tags":["vendor-advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2023/09/20/2"},{"url":"https://www.debian.org/security/2023/dsa-5504"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/"},{"url":"https://security.netapp.com/advisory/ntap-20231013-0004/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/"}],"source":{"discovery":"EXTERNAL"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T07:24:03.623Z"},"title":"CVE Program Container","references":[{"url":"https://kb.isc.org/docs/cve-2023-4236","name":"CVE-2023-4236","tags":["vendor-advisory","x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2023/09/20/2","tags":["x_transferred"]},{"url":"https://www.debian.org/security/2023/dsa-5504","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5/","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20231013-0004/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B/","tags":["x_transferred"]}]}]}}