CVE-2017-3145 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-3145?

CVE-2017-3145 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-3145?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus.

Vulnerability Description

BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Isc	Bind	>= 9.4.0, <= 9.8.8
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	6.4
Redhat	Enterprise Linux Server Eus	6.7
Redhat	Enterprise Linux Server Tus	6.6
Redhat	Enterprise Linux Workstation	6.0
Debian	Debian Linux	7.0
Netapp	Data Ontap Edge	-
Juniper	Junos	12.1x46-d76
Juniper	Srx100	-
Juniper	Srx110	-
Juniper	Srx1400	-
Juniper	Srx1500	-
Juniper	Srx210	-
Juniper	Srx220	-
Juniper	Srx240	-
Juniper	Srx240H2	-
Juniper	Srx240M	-
Juniper	Srx300	-

Related Weaknesses (CWE)

CWE-416

References

http://www.securityfocus.com/bid/102716Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040195Broken LinkThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:0101Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0102Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0487Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0488Third Party Advisory
https://kb.isc.org/docs/aa-01542Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/01/msg00029.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20180117-0003/Third Party Advisory
https://supportportal.juniper.net/s/article/2018-07-Security-Bulletin-SRX-SeriesThird Party Advisory
https://www.debian.org/security/2018/dsa-4089Third Party Advisory
http://www.securityfocus.com/bid/102716Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040195Broken LinkThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:0101Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0102Third Party Advisory

FAQ

What is CVE-2017-3145?

CVE-2017-3145 is a vulnerability with a CVSS score of 7.5 (HIGH). BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affect...

How severe is CVE-2017-3145?

CVE-2017-3145 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-3145?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus.