Anat Bremler-Barr

**Name of the Vulnerable Software and Affected Versions** AMPHP (affected versions not specified) Apache Tomcat (affected versions not specified) Eclipse Foundation (affected versions not specified) F5 (affected versions not specified) Fastly (affected versions not specified) gRPC (affected versions not specified) Mozilla (affected versions not specified) Netty (affected versions not specified) Suse Linux (affected versions not specified) Varnish Cache (affected versions not specified) Wind River (affected versions not specified) Zephyr Project (affected versions not specified) **Description** A mismatch between HTTP/2 specifications and the internal architectures of some implementations leads to incorrect stream accounting. By opening streams and rapidly triggering the server to reset them using malformed frames or flow control errors, a remote attacker can cause excessive server resource consumption. This occurs because streams reset by the server are considered closed at the protocol level, while backend processing continues, allowing a client to force the server to handle an unbounded number of concurrent streams on a single connection. This issue, dubbed MadeYouReset, can be used to launch massive denial-of-service (DoS) attacks and bypasses existing Rapid Reset mitigations by tricking the server into resetting its own stream counters. The attack traffic often blends with legitimate traffic, making detection difficult. **Recommendations** Update Apache Tomcat to the latest patched version. Update F5 to the latest patched version. Update Fastly to the latest patched version. Update Varnish Cache to the latest patched version. Implement rate-limiting and anomaly detection to identify and block malicious HTTP/2 traffic patterns. At the moment, there is no information about a newer version that contains a fix for AMPHP, Eclipse Foundation, gRPC, Mozilla, Netty, Suse Linux, Wind River, and Zephyr Project.

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 11.0.0-M1 through 11.0.9 Apache Tomcat versions 10.1.0-M1 through 10.1.43 Apache Tomcat versions 9.0.0.M1 through 9.0.107 Description: A flaw in resource shutdown or release within Apache Tomcat creates a vulnerability to the “Made You Reset” attack. Older, end-of-life versions may also be affected. Recommendations: Upgrade to Apache Tomcat version 11.0.10. Upgrade to Apache Tomcat version 10.1.44. Upgrade to Apache Tomcat version 9.0.108.

**Name of the Vulnerable Software and Affected Versions** BIND 9 versions 9.0.0 through 9.16.45 BIND 9 versions 9.18.0 through 9.18.21 BIND 9 versions 9.19.0 through 9.19.19 BIND 9 versions 9.9.3-S1 through 9.11.37-S1 BIND 9 versions 9.16.8-S1 through 9.16.45-S1 BIND 9 versions 9.18.11-S1 through 9.18.21-S1 **Description** The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. A remote attacker could exploit this vulnerability to trigger an assertion failure by querying RFC 1918 reverse zones. **Recommendations** For BIND 9 versions 9.0.0 through 9.16.45, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.18.0 through 9.18.21, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.19.0 through 9.19.19, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.9.3-S1 through 9.11.37-S1, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.16.8-S1 through 9.16.45-S1, update to a version outside of this range to mitigate the risk. For BIND 9 versions 9.18.11-S1 through 9.18.21-S1, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the `named` instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BIND 9 versions 9.11.0 through 9.16.41 BIND 9 versions 9.18.0 through 9.18.15 BIND 9 versions 9.19.0 through 9.19.13 BIND 9 versions 9.11.3-S1 through 9.16.41-S1 BIND 9 versions 9.18.11-S1 through 9.18.15-S1 **Description** The effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This can lead to a denial of service, caused by a flaw that allows the named's configured cache size limit to be significantly exceeded, potentially exhausting all memory on the host. **Recommendations** For BIND 9 versions 9.11.0 through 9.16.41, update to a version that includes a fix for this issue. For BIND 9 versions 9.18.0 through 9.18.15, update to a version that includes a fix for this issue. For BIND 9 versions 9.19.0 through 9.19.13, update to a version that includes a fix for this issue. For BIND 9 versions 9.11.3-S1 through 9.16.41-S1, update to a version that includes a fix for this issue. For BIND 9 versions 9.18.11-S1 through 9.18.15-S1, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the `named` instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Unbound versions prior to 1.16.3 **Description** The issue is related to a Non-Responsive Delegation Attack (NRDelegation Attack) that affects various DNS resolving software, including Unbound. This attack involves a malicious delegation with a considerable number of non-responsive nameservers, causing the resolver to spend significant time and resources resolving records under the malicious delegation point. Although Unbound does not suffer from high CPU usage, it still requires resources to resolve the malicious delegation, which can lead to degraded performance and potentially a denial of service in orchestrated attacks. **Recommendations** For Unbound versions prior to 1.16.3, update to version 1.16.3 or later, which introduces fixes for better performance when under load by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching, and limiting the number of times a delegation point can issue a cache lookup for missing records.

**Name of the Vulnerable Software and Affected Versions** BIND versions (affected versions not specified) **Description** The issue is related to a flaw in the resolver code of the DNS server, which can be exploited by flooding the target resolver with queries, significantly impairing its performance and effectively denying legitimate clients access to the DNS resolution service. This can lead to a denial of service (DoS) attack. The vulnerability is associated with improper management of internal resources within the application when handling large delegations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PowerDNS Recursor versions 4.1.0 through 4.3.0 **Description** The issue in the DNS protocol allows malicious parties to use recursive DNS services to attack third-party authoritative name servers, resulting in degraded performance. This is triggered by random subdomains in the NSDNAME in NS records. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. **Recommendations** For PowerDNS Recursor versions 4.1.0 through 4.1.15, consider updating to version 4.1.16 to mitigate the impact of this issue. For PowerDNS Recursor versions 4.2.0 through 4.2.1, consider updating to version 4.2.2 to mitigate the impact of this issue. For PowerDNS Recursor versions 4.3.0, consider updating to version 4.3.1 to mitigate the impact of this issue.

**Name of the Vulnerable Software and Affected Versions** BIND versions prior to the fixed version Windows DNS Server (affected versions not specified) PowerDNS Recursor (affected versions not specified) **Description** The issue is related to a lack of effective limitation on the number of fetches performed when processing referrals, which can cause a recursing server to issue a large number of fetches. This can lead to degradation of the server's performance and potentially be exploited in a reflection attack with a high amplification factor. The vulnerability can be exploited by a remote attacker to trigger an assertion failure in tsig.c, causing a denial of service. **Recommendations** For BIND, update to a version that includes the fix for this issue. For Windows DNS Server, apply the mitigation measures proposed by the vendor, as described in the security advisory ADV200009. For PowerDNS Recursor, follow the guidance provided in the security advisory PowerDNS Advisory 2020-01. As a temporary workaround, consider restricting the number of fetches performed when processing referrals to minimize the risk of exploitation. Restrict access to the vulnerable `tsig.c` function to prevent assertion failures until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability for some of the affected software.

**Name of the Vulnerable Software and Affected Versions** Unbound versions prior to 1.10.1 **Description** The issue is related to Insufficient Control of Network Message Volume, also known as an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records. **Recommendations** For versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue.