Wind River Support Network

Description

Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the allow-recursion setting, it SHOULD default to one of the following: none, if recursion no; is set in named.conf; a value inherited from the allow-query-cache or allow-query settings IF recursion yes; (the default for that setting) AND match lists are explicitly set for allow-query-cache or allow-query (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of allow-recursion {localhost; localnets;}; if recursion yes; is in effect and no values are explicitly set for allow-query-cache or allow-query. However, because of the regression introduced by change #4777, it is possible when recursion yes; is in effect and no match list values are provided for allow-query-cache or allow-query for the setting of allow-recursion to inherit a setting of all hosts from the allow-query setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.

Find out more about CVE-2018-5738 from the MITRE-CVE dictionary and NIST NVD

---

Products Affected

Login may be required to access defects or downloads.

Related Products

Notes
Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.