CVE-2024-25638

Name of the Vulnerable Software and Affected Versions dnsjava versions prior to 3.6.0

Description The issue arises from dnsjava not checking the relevance of records in DNS replies to the query, allowing an attacker to respond with records from different zones. This can lead to applications blindly filtering received results and potentially taking irrelevant records as authentic answers. The vulnerability can be exploited in various scenarios, including exchanging SRV records to redirect user credentials, exchanging MX records for information disclosure, and manipulating the root of trust for dependent applications by exchanging URI and SMIMEA records.

Recommendations For versions prior to 3.6.0, update to version 3.6.0 to fix the vulnerability. As a temporary workaround, consider filtering the received RRs using an algorithm that verifies the authenticity and relevance of the records to the query. When using a ValidatingResolver, ignore any Server indications of whether or not data was available. For APIs returning RRs from DNS responses, filter the RRs to ensure they are relevant to the query.