CVE-2021-25219

CWE-20 — Improper Input Validation9 documents8 sources

Severity

5.3MEDIUM

EPSS

1.0%

top 22.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

ISC Bind Siemens Sinec Infrastructure Network Services ISC Bind9 +4 more

Timeline

PublishedOct 27

Latest updateMay 24

Description

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause s…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶NVDisc/bind9.3.0 — 9.11.36+21

▶Debianbind9< 1:9.16.22-1~deb11u1+3

▶CVEListV5isc/bind95 versions+4

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶NVDoracle/http_server12.2.1.3.0, 12.2.1.4.0+1

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34, 35

Patches

Patch: cert-portal.siemens.com ↗Patch: cert-portal.siemens.com ↗

🔴Vulnerability Details

GHSA

GHSA-x6vq-rxvf-3ggc: In BIND 9↗2022-05-24

▶

CVEList

Lame cache can be abused to severely degrade resolver performance↗2021-10-27

▶

OSV

CVE-2021-25219: In BIND 9↗2021-10-27

▶

📋Vendor Advisories

Ubuntu

Bind vulnerability↗2021-10-28

▶

Ubuntu

Bind vulnerability↗2021-10-28

▶

Red Hat

bind: Lame cache can be abused to severely degrade resolver performance↗2021-10-27

▶

Microsoft

Lame cache can be abused to severely degrade resolver performance↗2021-10-12

▶

Debian

CVE-2021-25219: bind9 - In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1...↗2021

▶