1219905 – (CVE-2023-5680) VUL-0: CVE-2023-5680: bind: DoS due to inefficient ECS record cache cleanup

Bug 1219905 (CVE-2023-5680) - VUL-0: CVE-2023-5680: bind: DoS due to inefficient ECS record cache cleanup

Summary: VUL-0: CVE-2023-5680: bind: DoS due to inefficient ECS record cache cleanup

Status:	RESOLVED INVALID

Alias:	CVE-2023-5680

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jorik Cronenberg
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/393884/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-5680:5.9:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-14 08:35 UTC by SMASH SMASH
Modified:	2024-02-14 11:22 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-14 08:35:05 UTC

If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. 
This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5680
https://www.cve.org/CVERecord?id=CVE-2023-5680
https://kb.isc.org/docs/cve-2023-5680

Comment 1 Carlos López 2024-02-14 08:52:27 UTC

(In reply to SMASH SMASH from comment #0)
> This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1
> through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.

 - SUSE:SLE-11-SP2:Update/bind: 9.9.6P1 (not affected)
 - SUSE:SLE-12-SP1:Update/bind: 9.9.9P1 (not affected)
 - SUSE:SLE-12-SP4:Update/bind: 9.11.22 (affected)
 - SUSE:SLE-15:Update/bind: 9.16.6 (not affected)
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/bind: 9.16.6 (not affected)
 - SUSE:SLE-15-SP3:Update/bind: 9.16.6 (not affected)
 - SUSE:SLE-15-SP4:Update/bind: 9.16.44 (affected)
 - SUSE:SLE-15-SP5:Update/bind: 9.16.44 (affected)
 - SUSE:SLE-15-SP6:GA/bind: 9.16.44 (affected)
 - SUSE:ALP:Source:Standard:1.0/bind: 9.18.21 (affected)
 - openSUSE:Factory/bind: 9.18.21 (affected)

Comment 2 Jorik Cronenberg 2024-02-14 09:27:32 UTC

No, I don't think our codestreams are affected at all. The "S1" branch is the ISC's own "Supported Preview Edition" which is exclusive for their paying customers.

Comment 3 Carlos López 2024-02-14 11:21:59 UTC

(In reply to Jorik Cronenberg from comment #2)
> No, I don't think our codestreams are affected at all. The "S1" branch is
> the ISC's own "Supported Preview Edition" which is exclusive for their
> paying customers.

You're right, I missed that, I'll update tracking.

Comment 4 Carlos López 2024-02-14 11:22:24 UTC

Closing.