CVE-2023-50387

Public on 2024-02-14
Modified on 2024-04-02
Description
Certain DNSSEC aspects of the DNS protocol (in RFC 4035 and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses when there is a zone with many DNSKEY and RRSIG records, aka the "KeyTrap" issue. The protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Severity
Important severity
Important
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 bind Pending Fix
Amazon Linux 2 - Core bind Pending Fix
Amazon Linux 2023 bind 2024-02-29 ALAS2023-2024-550 Fixed
Amazon Linux 1 dnsmasq Not Affected
Amazon Linux 2 - Dnsmasq2.85 Extra dnsmasq Pending Fix
Amazon Linux 2 - Core dnsmasq Not Affected
Amazon Linux 2 - Dnsmasq Extra dnsmasq 2024-04-10 ALAS2DNSMASQ-2024-002 Fixed
Amazon Linux 2023 dnsmasq 2024-02-29 ALAS2023-2024-552 Fixed
Amazon Linux 1 unbound Pending Fix
Amazon Linux 2 - Unbound1.13 Extra unbound Pending Fix
Amazon Linux 2 - Unbound1.17 Extra unbound Pending Fix
Amazon Linux 2 - Core unbound 2024-02-29 ALAS2-2024-2481 Fixed
Amazon Linux 2023 unbound 2024-02-29 ALAS2023-2024-553 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H