CVE-2021-36754 - log back

CVE-2021-36754 edited at 26 Jul 2021 13:29:16
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.
+
+ Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).
+
+ When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
References
+ https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
+ https://downloads.powerdns.com/patches/2021-01/pdns-4.5.0-2021-01.patch
+ https://github.com/PowerDNS/pdns/commit/96cae2fd21054b383a16c569a363a50f71808cd9
Notes
+ Workaround
+ ==========
+
+ Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).
CVE-2021-36754 created at 26 Jul 2021 13:25:28