CVE-2019-19331Inefficient Algorithmic Complexity in Knot Resolver

CWE-407Inefficient Algorithmic ComplexityCWE-404Improper Resource Shutdown or Release9 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 34.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cz.nic Knot-resolverNIC Knot ResolverDebian Linux
Timeline
PublishedDec 16
Latest updateOct 1

Description

knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDnic/knot_resolver< 4.3.0
Debiancz.nic/knot-resolver< 5.0.1-1+3
CVEListV5cz.nic/knot-resolver4.3.0

Also affects: Debian Linux 10.0

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
knot-resolver vulnerabilities2024-10-01
GHSA
GHSA-9f7v-8m4p-pv76: knot-resolver before version 42022-05-24
OSV
CVE-2019-19331: knot-resolver before version 42019-12-16
CVEList
CVE-2019-19331: knot-resolver before version 42019-12-16

📋Vendor Advisories

1
Debian
CVE-2019-19331: knot-resolver - knot-resolver before version 4.3.0 is vulnerable to denial of service through hi...2019

💬Community

3
Bugzilla
CVE-2019-19331 knot-resolver: DNS packets taking few seconds to process with full CPU utilization leads to DoS [epel-7]2019-12-06
Bugzilla
CVE-2019-19331 knot-resolver: DNS packets taking few seconds to process with full CPU utilization leads to DoS [fedora-all]2019-12-06
Bugzilla
CVE-2019-19331 knot-resolver: DNS packets taking few seconds to process with full CPU utilization leads to DoS2019-12-04
CVE-2019-19331 — Inefficient Algorithmic Complexity | cvebase