CVE-2019-10163 - OpenCVE

A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Powerdns	Authoritative
Opensuse	Backports Leap

Configuration 1 [-]

OR	cpe:2.3:a:powerdns:authoritative::::::::
	cpe:2.3:a:powerdns:authoritative::::::::
	cpe:2.3:a:powerdns:authoritative:4.1.0:-::::::

Configuration 2 [-]

OR	cpe:2.3:o:opensuse:backports:sle-15:-::::::
	cpe:2.3:o:opensuse:backports:sle-15:sp1::::::
	cpe:2.3:o:opensuse:leap:15.0:::::::*
	cpe:2.3:o:opensuse:leap:15.1:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00036.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00054.html	Mailing List Third Party Advisory
https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10163	Issue Tracking Patch Third Party Advisory
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2019-07-30T22:16:59

Updated: 2020-12-04T18:00:58

Reserved: 2019-03-27T00:00:00

Link: CVE-2019-10163

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-07-30T23:15:12.263

Modified: 2023-02-03T14:27:58.510

Link: CVE-2019-10163

JSON object: View

Redhat Information

No data.

CWE

CWE-770

{"containers": {"cna": {"affected": [{"product": "pdns", "vendor": "PowerDNS", "versions": [{"status": "affected", "version": "fixed in 4.1.9"}, {"status": "affected", "version": "fixed in 4.0.8"}]}], "descriptions": [{"lang": "en", "value": "A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-04T18:00:58", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "openSUSE-SU-2019:1904", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00036.html"}, {"name": "openSUSE-SU-2019:1921", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00054.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10163"}, {"tags": ["x_refsource_MISC"], "url": "https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-10163", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "pdns", "version": {"version_data": [{"version_value": "fixed in 4.1.9"}, {"version_value": "fixed in 4.0.8"}]}}]}, "vendor_name": "PowerDNS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue."}]}, "impact": {"cvss": [[{"vectorString": "3.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-770"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2019:1904", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00036.html"}, {"name": "openSUSE-SU-2019:1921", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00054.html"}, {"name": "https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/", "refsource": "CONFIRM", "url": "https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10163", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10163"}, {"name": "https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html", "refsource": "MISC", "url": "https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10163", "datePublished": "2019-07-30T22:16:59", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2020-12-04T18:00:58", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AC9E085-EAB7-4AF1-AE27-890E01A74EBF", "versionEndExcluding": "4.0.8", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*", "matchCriteriaId": "18CCB3A5-1428-47B2-AC55-6D8E45842A67", "versionEndExcluding": "4.1.9", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:authoritative:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "C77964E1-10B0-4107-A1DF-5A6A23F48A85", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:backports:sle-15:-:*:*:*:*:*:*", "matchCriteriaId": "398716BC-E609-4338-BAB9-7CB2A78599BC", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:backports:sle-15:sp1:*:*:*:*:*:*", "matchCriteriaId": "C84D9410-31B7-421A-AD99-8ED2E45A9BC6", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.9, 4.0.8 allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad en Authoritative Server de PowerDNS anterior a versiones 4.1.9, 4.0.8, que permite a un servidor maestro autorizado y remoto causar una alta carga de CPU o incluso impedir actualizaciones adicionales a cualquier zona esclava mediante el env\u00edo de una gran cantidad de mensajes de NOTIFICACI\u00d3N. Note que solo los servidores configurados como esclavos est\u00e1n afectados por este problema."}], "id": "CVE-2019-10163", "lastModified": "2023-02-03T14:27:58.510", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-30T23:15:12.263", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00036.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00054.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://blog.powerdns.com/2019/06/21/powerdns-authoritative-server-4-0-8-and-4-1-10-released/"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10163"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-05.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "secalert@redhat.com", "type": "Secondary"}]}