JPCERT-AT-2015-0031 JPCERT/CC 2015-09-03 <<< JPCERT/CC Alert 2015-09-03 >>> Alert on denial-of-service vulnerability (CVE-2015-5986) in ISC BIND 9 https://www.jpcert.or.jp/english/at/2015/at150031.html I. Overview ISC BIND 9 contains a vulnerability that leads to a denial-of-service (DoS). When this vulnerability is leveraged, a remote attacker may cause an abnormal termination of named. If operating an affected version of ISC BIND 9 (authoritative DNS server, cache DNS server), please consider updating to a version that addresses this vulnerability after referring to the information in "III. Solution". Internet Systems Consortium, Inc. (ISC) CVE-2015-5986: An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c https://kb.isc.org/article/AA-01291 II. Affected Systems According to the information provided by ISC, the following versions are affected by this vulnerability. ISC has rated this vulnerability as "Critical". ISC BIND - Versions prior to 9.9.7 for 9.9.7-P2 versions - Versions prior to 9.10.2 for 9.10.2-P3 versions For more details, refer to the following: BIND 9 Security Vulnerability Matrix https://kb.isc.org/article/AA-00913/ If you are using BIND provided by a distributor, refer to the information provided by that distributor. III. Solution ISC has released versions of ISC BIND that address this vulnerability. Distributors are likely to provide their own versions that address this vulnerability. Consider updating to an updated version after thorough testing. Versions that address this vulnerability are as follows: ISC BIND - BIND 9 version 9.9.7-P3 - BIND 9 version 9.10.2-P4 IV. References US-CERT Internet Systems Consortium (ISC) Releases Security Updates for BIND https://www.us-cert.gov/ncas/current-activity/2015/09/02/Internet-Systems-Consortium-ISC-Releases-Security-Updates-BIND Japan Registry Services (JPRS) (Critical) Vulnerability in BIND 9.10.2/9.9.7 (DNS Service suspension) (Released 9/3/2015)(Japanese) http://jprs.jp/tech/security/2015-09-03-bind9-vuln-openpgpkey.html If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/