CVE-2021-25219 — MEDIUM (5.3)

Vulnerability Description

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance. The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Isc	Bind	>= 9.3.0, < 9.11.36
Debian	Debian Linux	9.0
Fedoraproject	Fedora	33
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H300E Firmware	-
Netapp	H300E	-
Netapp	H500E Firmware	-
Netapp	H500E	-
Netapp	H700E Firmware	-
Netapp	H700E	-
Netapp	H410S Firmware	-
Netapp	H410S	-
Netapp	H410C Firmware	-
Netapp	H410C	-
Netapp	Cloud Backup	-

References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://kb.isc.org/v1/docs/cve-2021-25219Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00001.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202210-25Third Party Advisory
https://security.netapp.com/advisory/ntap-20211118-0002/Third Party Advisory
https://www.debian.org/security/2021/dsa-4994Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://kb.isc.org/v1/docs/cve-2021-25219Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00001.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2021-25219?

CVE-2021-25219 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIN...

How severe is CVE-2021-25219?

CVE-2021-25219 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-25219?

Check the references section above for vendor advisories and patch information. Affected products include: Isc Bind, Debian Debian Linux, Fedoraproject Fedora, Netapp H300S Firmware, Netapp H300S.