CVE-2018-5738 - log back

CVE-2018-5738 created at 25 Sep 2019 19:31:40
+ Medium
+ Remote
+ Access restriction bypass
+ BIND <= 9.13.0 can improperly permit recursive query service to unauthorized clients. When "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query", it is possible for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients.
+ A number of configuration workarounds are available which completely avoid the problem.
+ If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.
+ If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:
+ allow-recursion
+ allow-query
+ allow-query-cache
+ will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2
+ Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf