{"containers": {"cna": {"affected": [{"product": "BIND9", "vendor": "ISC", "versions": [{"changes": [{"at": "9.16.6", "status": "unaffected"}, {"at": "9.17.0", "status": "affected"}, {"at": "9.17.4", "status": "unaffected"}], "lessThan": "*", "status": "affected", "version": "9.14.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "ISC would like to thank Joseph Gullo for bringing this vulnerability to our attention."}], "datePublic": "2020-08-20T00:00:00", "descriptions": [{"lang": "en", "value": "In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected."}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit. Affects BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-20T11:06:43", "orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kb.isc.org/docs/cve-2020-8621"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200827-0003/"}, {"name": "USN-4468-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4468-1/"}, {"name": "GLSA-202008-19", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202008-19"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.synology.com/security/advisory/Synology_SA_20_19"}, {"name": "openSUSE-SU-2020:1699", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"name": "openSUSE-SU-2020:1701", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n BIND 9.16.6\n BIND 9.17.4"}], "source": {"discovery": "USER"}, "title": "Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c", "workarounds": [{"lang": "en", "value": "No workarounds known."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-officer@isc.org", "DATE_PUBLIC": "2020-08-20T18:35:08.000Z", "ID": "CVE-2020-8621", "STATE": "PUBLIC", "TITLE": "Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIND9", "version": {"version_data": [{"version_affected": ">=", "version_name": "", "version_value": "9.14.0"}, {"version_affected": "<", "version_name": "", "version_value": "9.16.6"}, {"version_affected": ">=", "version_name": "", "version_value": "9.17.0"}, {"version_affected": "<", "version_name": "", "version_value": "9.17.4"}]}}]}, "vendor_name": "ISC"}]}}, "credit": [{"lang": "eng", "value": "ISC would like to thank Joseph Gullo for bringing this vulnerability to our attention."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected."}]}, "exploit": [{"lang": "en", "value": "We are not aware of any active exploits."}], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit. Affects BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3"}]}]}, "references": {"reference_data": [{"name": "https://kb.isc.org/docs/cve-2020-8621", "refsource": "CONFIRM", "url": "https://kb.isc.org/docs/cve-2020-8621"}, {"name": "https://security.netapp.com/advisory/ntap-20200827-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200827-0003/"}, {"name": "USN-4468-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4468-1/"}, {"name": "GLSA-202008-19", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202008-19"}, {"name": "https://www.synology.com/security/advisory/Synology_SA_20_19", "refsource": "CONFIRM", "url": "https://www.synology.com/security/advisory/Synology_SA_20_19"}, {"name": "openSUSE-SU-2020:1699", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"name": "openSUSE-SU-2020:1701", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}]}, "solution": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND:\n\n BIND 9.16.6\n BIND 9.17.4"}], "source": {"discovery": "USER"}, "work_around": [{"lang": "en", "value": "No workarounds known."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.261Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kb.isc.org/docs/cve-2020-8621"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200827-0003/"}, {"name": "USN-4468-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4468-1/"}, {"name": "GLSA-202008-19", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202008-19"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.synology.com/security/advisory/Synology_SA_20_19"}, {"name": "openSUSE-SU-2020:1699", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"name": "openSUSE-SU-2020:1701", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}]}]}, "cveMetadata": {"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "assignerShortName": "isc", "cveId": "CVE-2020-8621", "datePublished": "2020-08-21T20:50:18.959156Z", "dateReserved": "2020-02-05T00:00:00", "dateUpdated": "2024-09-16T16:18:00.777Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5C115A2-721C-4A50-96E3-E31833829E37", "versionEndIncluding": "9.16.5", "versionStartIncluding": "9.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*", "matchCriteriaId": "85031A21-4F54-4CE6-B0F3-66D09928FF3C", "versionEndIncluding": "9.17.3", "versionStartIncluding": "9.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:dns_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "54997147-2421-4DE2-9B7C-844D0DC89D20", "versionEndExcluding": "2.2.2-5027", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", "matchCriteriaId": "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected."}, {"lang": "es", "value": "En BIND versiones 9.14.0 -) 9.16.5, 9.17.0 -) 9.17.3, si un servidor est\u00e1 configurado con minimizaci\u00f3n de QNAME y \"forward first\", entonces un atacante que pueda enviarle consultas puede ser capaz de desencadenar la condici\u00f3n que causar\u00e1 que el servidor se bloquee. Los servidores con \"forward only\" no est\u00e1n afectados."}], "id": "CVE-2020-8621", "lastModified": "2024-11-21T05:39:08.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-officer@isc.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-21T21:15:12.167", "references": [{"source": "security-officer@isc.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"source": "security-officer@isc.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}, {"source": "security-officer@isc.org", "tags": ["Vendor Advisory"], "url": "https://kb.isc.org/docs/cve-2020-8621"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202008-19"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200827-0003/"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4468-1/"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://www.synology.com/security/advisory/Synology_SA_20_19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://kb.isc.org/docs/cve-2020-8621"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202008-19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200827-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4468-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.synology.com/security/advisory/Synology_SA_20_19"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Joseph Gullo as the original reporter.", "bugzilla": {"description": "bind: Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c", "id": "1869471", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869471"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected."], "name": "CVE-2020-8621", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "bind97", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2020-08-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8621\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8621\nhttps://kb.isc.org/docs/cve-2020-8621"], "statement": "This flaw only affects bind >= 9.14.x. Therefore versions of bind package shipped with Red Hat Enterprise Linux are not affected by this flaw.", "threat_severity": "Moderate"}