CVE-2017-3138

named contains a feature which allows operators to issue commands to a running server by communicating with the server process over a control channel, using a utility program such as rndc. A regression introduced in a recent feature change has created a situation under which some versions of named can be caused to exit with a REQUIRE assertion failure if they are sent a null command string. Affects BIND 9.9.9->9.9.9-P7, 9.9.10b1->9.9.10rc2, 9.10.4->9.10.4-P7, 9.10.5b1->9.10.5rc2, 9.11.0->9.11.0-P4, 9.11.1b1->9.11.1rc2, 9.9.9-S1->9.9.9-S9.

Published: Jan 16, 2019
Updated: Apr 13, 2023
CVE: CVE-2017-3138
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:N/A:P

CWEs:

CWE-617

Affected Software
References

Software	From	Fixed in
isc / bind	9.10.4-p4	9.10.4-p4.x
isc / bind	9.11.0-p1	9.11.0-p1.x
isc / bind	9.9.9-p4	9.9.9-p4.x
isc / bind	9.10.4-p3	9.10.4-p3.x
isc / bind	9.9.9-p1	9.9.9-p1.x
isc / bind	9.9.9	9.9.9.x
isc / bind	9.9.9-s1	9.9.9-s1.x
isc / bind	9.10.4-p2	9.10.4-p2.x
isc / bind	9.10.4	9.10.4.x
isc / bind	9.10.4-p1	9.10.4-p1.x
isc / bind	9.9.9-p3	9.9.9-p3.x
isc / bind	9.11.0	9.11.0.x
isc / bind	9.9.9-s7	9.9.9-s7.x
isc / bind	9.9.9-p5	9.9.9-p5.x
isc / bind	9.9.10-beta1	9.9.10-beta1.x
isc / bind	9.10.4-p5	9.10.4-p5.x
isc / bind	9.11.0-p2	9.11.0-p2.x
isc / bind	9.11.1-rc1	9.11.1-rc1.x
isc / bind	9.11.0-p3	9.11.0-p3.x
isc / bind	9.10.5-rc1	9.10.5-rc1.x
isc / bind	9.10.5-b1	9.10.5-b1.x
isc / bind	9.10.4-p6	9.10.4-p6.x
isc / bind	9.9.10-rc1	9.9.10-rc1.x
isc / bind	9.11.1-b1	9.11.1-b1.x
isc / bind	9.9.9-p6	9.9.9-p6.x
isc / bind	9.11.1-rc2	9.11.1-rc2.x
isc / bind	9.11.0-p4	9.11.0-p4.x
isc / bind	9.10.5-rc2	9.10.5-rc2.x
isc / bind	9.10.4-p7	9.10.4-p7.x
isc / bind	9.9.10-rc2	9.9.10-rc2.x
isc / bind	9.9.9-p2	9.9.9-p2.x
isc / bind	9.9.9-p7	9.9.9-p7.x
debian / debian_linux	8.0	8.0.x

Vulnerability Database

289,599

CVE-2017-3138