CVE-2020-8619 - log back

CVE-2020-8619 edited at 18 Jun 2020 08:17:40
- Unknown
+ Medium
- Unknown
+ Remote
- Unknown
+ Denial of service
+ An issue has been found in Bind before 9.16.4, where an asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c.
+ The asterisk character ("*") is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node. A problem can occur when an asterisk is present in an empty non-terminal location within the DNS graph. If such a node exists, after a series of queries, named can reach an inconsistent state that results in the failure of an assertion check in rbtdb.c, followed by the program exiting due to the assertion failure.
+ Unless a nameserver is providing authoritative service for one or more zones and at least one zone contains an empty non-terminal entry containing an asterisk ("*") character, this defect cannot be encountered. A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.
CVE-2020-8619 created at 18 Jun 2020 07:44:52