CVE-2017-3138

Name of the Vulnerable Software and Affected Versions BIND 9.9.9 through 9.9.9-P7 BIND 9.9.10b1 through 9.9.10rc2 BIND 9.10.4 through 9.10.4-P7 BIND 9.10.5b1 through 9.10.5rc2 BIND 9.11.0 through 9.11.0-P4 BIND 9.11.1b1 through 9.11.1rc2 BIND 9.9.9-S1 through 9.9.9-S9

Description The issue arises from a regression in a recent feature change, allowing attackers to cause a denial of service by sending a null command string over a control channel to the named server process. This can result in the server exiting with a REQUIRE assertion failure.

Recommendations For BIND 9.9.9 through 9.9.9-P7, update to a version outside of this range to resolve the issue. For BIND 9.9.10b1 through 9.9.10rc2, update to a version outside of this range to resolve the issue. For BIND 9.10.4 through 9.10.4-P7, update to a version outside of this range to resolve the issue. For BIND 9.10.5b1 through 9.10.5rc2, update to a version outside of this range to resolve the issue. For BIND 9.11.0 through 9.11.0-P4, update to a version outside of this range to resolve the issue. For BIND 9.11.1b1 through 9.11.1rc2, update to a version outside of this range to resolve the issue. For BIND 9.9.9-S1 through 9.9.9-S9, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the control channel to minimize the risk of exploitation.