Security Bulletin
Summary
ISC BIND is vulnerable to these security vulnerabilities. IBM i has addressed these vulnerabilities.
This security bulletin has been updated, on June 21, 2019, as an additional IBM i PTF is available for IBM i 7.4.
Vulnerability Details
CVEID: CVE-2018-5745
DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by an error in the managed-keys feature. By replacing a trust anchor''s keys with keys which use an unsupported algorithm, a remote authenticated attacker could exploit this vulnerability to cause an assertion failure.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157386 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-6465
DESCRIPTION: ISC BIND could allow a remote attacker to obtain sensitive information, caused by the failure to properly apply controls for zone transfers to Dynamically Loadable Zones (DLZs) if the zones are writable. An attacker could exploit this vulnerability to request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157377 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-5744
DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a failure to free memory when processing messages with a specific combination of EDNS options. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157371 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
Releases 7.1, 7.2, 7.3, and 7.4 of IBM i are affected.
Remediation/Fixes
The issue can be fixed by applying a PTF to IBM i.
Releases 7.1, 7.2, 7.3, and 7.4 of IBM i are supported and will be fixed.
https://www-945.ibm.com/support/fixcentral/
The IBM i PTF numbers are:
Release 7.1 – SI69120
Release 7.2 – SI69118
Release 7.3 – SI69119
Release 7.4 – SI69622
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
22 April 2019: Original Version Published
21 June 2019: Updated to include IBM i 7.4 release information
15 August 2022: Fixed broken link
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 August 2022
UID
ibm10876698