Resource Exhaustion Affecting pdns package, versions <4.0.2-1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.87% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN13-PDNS-5692147
  • published27 Jun 2018
  • disclosed11 Sept 2018

Introduced: 27 Jun 2018

CVE-2016-7068  (opens in a new tab)
CWE-400  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Debian:13 pdns to version 4.0.2-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream pdns package and not the pdns package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour.