Vulnerability Details : CVE-2019-19331
knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).
Vulnerability category: Denial of service
Products affected by CVE-2019-19331
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:nic:knot_resolver:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19331
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19331
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
Red Hat, Inc. | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-19331
-
The product does not release or incorrectly releases a resource before it is made available for re-use.Assigned by: nvd@nist.gov (Primary)
-
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2019-19331
-
https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html
Knot Resolver 4.3.0 released – Knot ResolverRelease Notes;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19331
1779566 – (CVE-2019-19331) CVE-2019-19331 knot-resolver: DNS packets taking few seconds to process with full CPU utilization leads to DoSExploit;Issue Tracking;Patch
-
https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html
[SECURITY] [DLA 3795-1] knot-resolver security update
Jump to