Bug 1219905 (CVE-2023-5680)

Summary: VUL-0: CVE-2023-5680: bind: DoS due to inefficient ECS record cache cleanup
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Jorik Cronenberg <jorik.cronenberg>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/393884/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-5680:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-14 08:35:05 UTC 
If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. 
This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5680
https://www.cve.org/CVERecord?id=CVE-2023-5680
https://kb.isc.org/docs/cve-2023-5680
Comment 1 Carlos López 2024-02-14 08:52:27 UTC 
(In reply to SMASH SMASH from comment #0)
> This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1
> through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

 - SUSE:SLE-11-SP2:Update/bind: 9.9.6P1 (not affected)
 - SUSE:SLE-12-SP1:Update/bind: 9.9.9P1 (not affected)
 - SUSE:SLE-12-SP4:Update/bind: 9.11.22 (affected)
 - SUSE:SLE-15:Update/bind: 9.16.6 (not affected)
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/bind: 9.16.6 (not affected)
 - SUSE:SLE-15-SP3:Update/bind: 9.16.6 (not affected)
 - SUSE:SLE-15-SP4:Update/bind: 9.16.44 (affected)
 - SUSE:SLE-15-SP5:Update/bind: 9.16.44 (affected)
 - SUSE:SLE-15-SP6:GA/bind: 9.16.44 (affected)
 - SUSE:ALP:Source:Standard:1.0/bind: 9.18.21 (affected)
 - openSUSE:Factory/bind: 9.18.21 (affected)
Comment 2 Jorik Cronenberg 2024-02-14 09:27:32 UTC 
No, I don't think our codestreams are affected at all. The "S1" branch is the ISC's own "Supported Preview Edition" which is exclusive for their paying customers.
Comment 3 Carlos López 2024-02-14 11:21:59 UTC 
(In reply to Jorik Cronenberg from comment #2)
> No, I don't think our codestreams are affected at all. The "S1" branch is
> the ISC's own "Supported Preview Edition" which is exclusive for their
> paying customers.

You're right, I missed that, I'll update tracking.
Comment 4 Carlos López 2024-02-14 11:22:24 UTC 
Closing.