CVE-2017-3137

Name of the Vulnerable Software and Affected Versions BIND versions 9.9.9-P6 through 9.9.10rc1 BIND versions 9.10.4-P6 through 9.10.5rc1 BIND versions 9.11.0-P3 through 9.11.1rc1 BIND version 9.9.9-S8

Description The issue arises from mistaken assumptions about the ordering of records in the answer section of a response containing CNAME or DNAME resource records. This could lead to a situation in which named exits with an assertion failure when processing a response in which records occurred in an unusual order. Attackers can cause a denial of service by sending a response containing CNAME or DNAME resource records with a specially crafted order.

Recommendations For BIND versions 9.9.9-P6 through 9.9.10rc1, update to a version that fixes the issue. For BIND versions 9.10.4-P6 through 9.10.5rc1, update to a version that fixes the issue. For BIND versions 9.11.0-P3 through 9.11.1rc1, update to a version that fixes the issue. For BIND version 9.9.9-S8, update to a version that fixes the issue. As a temporary workaround, consider restricting the processing of responses with unusual record orders to minimize the risk of exploitation.