CVE-2018-5738 - log back

CVE-2018-5738 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Access restriction bypass
Description
+ BIND <= 9.13.0 can improperly permit recursive query service to unauthorized clients. When "recursion yes;" is in effect and no match list values are provided for "allow-query-cache" or "allow-query", it is possible for the setting of "allow-recursion" to inherit a setting of all hosts from the "allow-query" setting default, improperly permitting recursion to all clients.
References
+ https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
+ https://marc.info/?l=oss-security&m=152886256217742
Notes
+ A number of configuration workarounds are available which completely avoid the problem.
+
+ If an operator has not chosen to specify some other permission, explicitly specifying "allow-query {localnets; localhost;};" in named.conf will provide behavior equivalent to the intended default.
+
+ If the default setting is not appropriate (because the operator wants a different behavior) then depending on which clients are intended to be able to receive service for recursive queries, explicitly setting a match list value for any of:
+
+ allow-recursion
+ allow-query
+ allow-query-cache
+
+ will prevent the "allow-recursion" control from improperly inheriting a setting from the allow-query default. If a value is set for any of those values the behavior of allow-recursion will be set directly or inherited from one of the other values as described in the BIND Adminstrator Reference Manual section 6.2
+
+ Servers which are not intended to perform recursion at all may also effectively prevent this condition by setting "recursion no;" in named.conf