Security Bulletin
Summary
ISC BIND on IBM i is vulnerable to a denial of service attack by sending specially created TCP packets and DNS cache poisoning attack by using DNS forwarders as described in the vulnerability details section. IBM i has addressed the vulnerabilities in ISC BIND with a fix as described in the remediation/fixes section.
Vulnerability Details
CVEID: CVE-2022-0396
DESCRIPTION: ISC BIND is vulnerable to a denial of service. By sending specially crafted TCP packets, an attacker could exploit this vulnerability to allow TCP connection slots to be consumed for an indefinite time frame.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2021-25220
DESCRIPTION: ISC BIND could allow a remote attacker to bypass security restrictions, caused by an error when using DNS forwarders. An attacker could exploit this vulnerability to poison the cache with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221991 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
Affected Products and Versions
Affected Product(s) | Version(s) |
IBM i | 7.5 |
IBM i | 7.4 |
IBM i | 7.3 |
IBM i | 7.2 |
Remediation/Fixes
IBM i Release | 5770-SS1 PTF Number | PTF Download Link |
7.5 | SI80440 SI80443 SI80458 | SI80440 SI80443 SI80458 |
7.4 | SI80430 SI80431 SI80455 | SI80430 SI80431 SI80455 |
7.3 | SI80437 SI80438 SI80456 | SI80437 SI80438 SI80456 |
7.2 | SI80439 SI80457 | SI80439 SI80457 |
https://www.ibm.com/support/fixcentral
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
15 Jun 2022: Initial Publication
12 July 2022: Updated with PTFs that eliminate the RPM package dependency in the original PTF.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
13 July 2022
UID
ibm16595155