CVE-2021-36754 log

Source
Severity Medium
Remote Yes
Type Denial of service
Description
PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.

Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).

When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
Group Package Affected Fixed Severity Status Ticket
AVG-2222 powerdns 4.5.0-1 4.5.1-1 Medium Fixed
Date Advisory Group Package Severity Type
27 Jul 2021 ASA-202107-73 AVG-2222 powerdns Medium denial of service
References
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
https://downloads.powerdns.com/patches/2021-01/pdns-4.5.0-2021-01.patch
https://github.com/PowerDNS/pdns/commit/96cae2fd21054b383a16c569a363a50f71808cd9
Notes
Workaround
==========

Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).