Red hat has released important security update for bind package.
bind: Limiting simultaneous TCP clients is ineffective (CVE-2018-5743)
For more details about the security issues, and other related information, refer to the CVE page.
Date Reported: 24-April-2019
Fix Released On: 29-May-2019
Severity Level: Medium
Affected Packages: bind
Affected Operating System & Version:
- Red Hat Enterprise Linux 5 – Will not fix
- Red Hat Enterprise Linux 6 – Update will be released soon
- Red Hat Enterprise Linux 7 – Fixed
- Red Hat Enterprise Linux 8 – Fixed
Details:
A flaw was found in the way bind implemented tunable which limited simultaneous TCP client connections. A remote attacker could use this flaw to exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files.
Refer the following Link for installing security updates to Red hat (RHEL) and CentOS Systems.
In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system.
For more details about this, refer to the MITRE CVE dictionary and NIST NVD.
Redhat Security Advisory References:
Security Database References (CVE):
Fix(es):
- This issue is fixed for RHEL 7 in bind-9.9.4-74.
- This issue is fixed for RHEL 8 in bind-9.11.4-17.P2.
Refer the following Link to verify the installed security updates on Red hat (RHEL) and CentOS Systems.
Solution:
This issue has been fixed and update is available in repository.
After update, the BIND daemon (named) will be restarted automatically.
The installed security fixes can be verified in the package change log using the following command.
# rpm -q --changelog bind | grep -i CVE-2018-5743
