Public Date:
1441125: CVE-2017-3136 bind: Incorrect error handling causes assertion failure when using DNS64 with "break-dnssec yes;"
A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request.

Find out more about CVE-2017-3136 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (bind) RHSA-2017:1095 2017-04-19
Red Hat Enterprise Linux 6 (bind) RHSA-2017:1105 2017-04-20

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 5 bind97 Not affected
Red Hat Enterprise Linux 5 bind Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.


Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges Oleg Gorokhov (Yandex) as the original reporter.


Servers which have configurations which require DNS64 and "break-dnssec yes;" should upgrade. Servers which are not using these features in conjunction are not at risk from this defect.

External References

Last Modified