ASA-202204-5 - log back

ASA-202204-5 edited at 06 Apr 2022 22:09:55
Workaround
- CVE-2021-25220
- If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones.
+ If applicable, modify your configuration to either remove all
+ forwarding or all possibility of recursion. Depending on your use-case,
+ it may be possible to use other zone types to replace forward zones.
- CVE-2022-0396
use the default setting of keep-response-order { none; }.
- CVE-2022-0635
The failure can be avoided by adding this option to named.conf:
- synth-from-dnssec no;
+ synth-from-dnssec no;
- However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random-subdomain attacks against DNSSEC-signed zones.
+ However we do not recommend disabling this feature other than as a
+ temporary workaround because it provides protection from pseudo-random-
+ subdomain attacks against DNSSEC-signed zones.
ASA-202204-5 edited at 05 Apr 2022 23:25:56
Workaround
- - CVE-2021-25220:
+ - CVE-2021-25220
If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones.
- - CVE-2022-0396:
+ - CVE-2022-0396
use the default setting of keep-response-order { none; }.
- - CVE-2022-0635:
+ - CVE-2022-0635
The failure can be avoided by adding this option to named.conf:
synth-from-dnssec no;
However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random-subdomain attacks against DNSSEC-signed zones.
ASA-202204-5 edited at 05 Apr 2022 23:15:42
Workaround
- CVE-2021-25220:
+
If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones.
- CVE-2022-0396:
+
use the default setting of keep-response-order { none; }.
- CVE-2022-0635:
+
The failure can be avoided by adding this option to named.conf:
synth-from-dnssec no;
However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random-subdomain attacks against DNSSEC-signed zones.
ASA-202204-5 edited at 05 Apr 2022 23:15:21
Workaround
- CVE-2021-25220:
If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones.
- CVE-2022-0396:
use the default setting of keep-response-order { none; }.
- CVE-2022-0635:
The failure can be avoided by adding this option to named.conf:
synth-from-dnssec no;
+
+ However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random-subdomain attacks against DNSSEC-signed zones.
ASA-202204-5 edited at 05 Apr 2022 22:59:27
Workaround
+ - CVE-2021-25220:
+ If applicable, modify your configuration to either remove all forwarding or all possibility of recursion. Depending on your use-case, it may be possible to use other zone types to replace forward zones.
+
- CVE-2022-0396:
use the default setting of keep-response-order { none; }.
- - CVE-2022-0396:
+ - CVE-2022-0635:
The failure can be avoided by adding this option to named.conf:
synth-from-dnssec no;
Impact
- A remote attacker is able to crash the application or force TCP connections to BIND to remain in CLOSE_WAIT status leading to denial of service on the affected host.
+ A remote attacker is able to crash the application or force TCP connections to BIND to remain in CLOSE_WAIT status leading to denial of service on the affected host. Furthermore the cache could become poisoned leading to queries being made to the wrong servers, which might also result in false information being returned to clients.
ASA-202204-5 edited at 05 Apr 2022 22:49:58
ASA-202204-5 edited at 04 Apr 2022 23:59:50
Workaround
- CVE-2022-0396:
+ - CVE-2022-0396:
use the default setting of keep-response-order { none; }.
- CVE-2022-0396:
+ - CVE-2022-0396:
The failure can be avoided by adding this option to named.conf:
+
synth-from-dnssec no;
ASA-202204-5 edited at 04 Apr 2022 23:59:18
Workaround
+ CVE-2022-0396:
+ use the default setting of keep-response-order { none; }.
+
+ CVE-2022-0396:
+ The failure can be avoided by adding this option to named.conf:
+ synth-from-dnssec no;
Impact
+ A remote attacker is able to crash the application or force TCP connections to BIND to remain in CLOSE_WAIT status leading to denial of service on the affected host.
ASA-202204-5 created at 04 Apr 2022 23:54:52