CVE-2017-3135

Name of the Vulnerable Software and Affected Versions BIND versions 9.8.8, 9.9.3 through 9.9.9-S7, 9.9.3 through 9.9.9-P5, 9.9.10b1, 9.10.0 through 9.10.4-P5, 9.10.5b1, 9.11.0 through 9.11.0-P2, 9.11.1b1

Description The issue arises when using both DNS64 and RPZ to rewrite query responses, leading to inconsistent query processing states. This can result in either an INSIST assertion failure or an attempt to read through a NULL pointer, causing a denial of service.

Recommendations For versions 9.8.8, 9.9.3 through 9.9.9-S7, 9.9.3 through 9.9.9-P5, 9.9.10b1, 9.10.0 through 9.10.4-P5, 9.10.5b1, 9.11.0 through 9.11.0-P2, 9.11.1b1, consider disabling the use of DNS64 and RPZ together until a patch is available. As a temporary workaround, restrict the use of RPZ to minimize the risk of exploitation. Avoid using DNS64 in conjunction with RPZ to rewrite query responses until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.