CVE-2017-3138 — Reachable Assertion in Bind 9
Severity
5.3MEDIUMNVD
CNA6.5
EPSS
37.9%
top 2.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 16
Latest updateMay 13
Description
named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-…
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5isc/bind_99.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9
Also affects: Debian Linux 8.0
🔴Vulnerability Details
4GHSA▶
GHSA-q858-q2j2-9jg4: named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel,↗2022-05-13
CVEList▶
named exits with a REQUIRE assertion failure if it receives a null command string on its control channel↗2019-01-16
OSV▶
CVE-2017-3138: named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel,↗2019-01-16
📋Vendor Advisories
3💬Community
4Bugzilla▶
CVE-2017-3138 bind: REQUIRE assertion failure when null command string on control channel is received [fedora-all]↗2017-04-13
Bugzilla▶
CVE-2017-3138 bind99: bind: REQUIRE assertion failure when null command string on control channel is received [fedora-all]↗2017-04-13
Bugzilla▶
CVE-2017-3138 bind: REQUIRE assertion failure when null command string on control channel is received↗2017-04-11