Unrated severityNVD Advisory· Published Jun 21, 2023· Updated Feb 13, 2025
named's configured cache size limit can be significantly exceeded
CVE-2023-2828
Description
Every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the max-cache-size statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.
It has been discovered that the effectiveness of the cache-cleaning algorithm used in named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.
Affected products
61- osv-coords60 versionspkg:rpm/almalinux/bindpkg:rpm/almalinux/bind9.16pkg:rpm/almalinux/bind9.16-chrootpkg:rpm/almalinux/bind9.16-develpkg:rpm/almalinux/bind9.16-dnssec-utilspkg:rpm/almalinux/bind9.16-docpkg:rpm/almalinux/bind9.16-libspkg:rpm/almalinux/bind9.16-licensepkg:rpm/almalinux/bind9.16-utilspkg:rpm/almalinux/bind-chrootpkg:rpm/almalinux/bind-develpkg:rpm/almalinux/bind-dnssec-docpkg:rpm/almalinux/bind-dnssec-utilspkg:rpm/almalinux/bind-docpkg:rpm/almalinux/bind-export-develpkg:rpm/almalinux/bind-export-libspkg:rpm/almalinux/bind-libspkg:rpm/almalinux/bind-libs-litepkg:rpm/almalinux/bind-licensepkg:rpm/almalinux/bind-lite-develpkg:rpm/almalinux/bind-pkcs11pkg:rpm/almalinux/bind-pkcs11-develpkg:rpm/almalinux/bind-pkcs11-libspkg:rpm/almalinux/bind-pkcs11-utilspkg:rpm/almalinux/bind-sdbpkg:rpm/almalinux/bind-sdb-chrootpkg:rpm/almalinux/bind-utilspkg:rpm/almalinux/python3-bindpkg:rpm/almalinux/python3-bind9.16pkg:rpm/opensuse/bind&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/bind&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/bind&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/bind&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/bind&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/bind&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/bind&distro=SUSE%20Manager%20Server%204.2pkg:rpm/suse/bind&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/bind&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 32:9.16.23-11.el9_2.1+ 59 more
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.11.36-8.el8_8.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.16.23-11.el9_2.1
- (no CPE)range: < 32:9.16.23-0.14.el8_8.1.alma
- (no CPE)range: < 9.16.42-150400.5.27.1
- (no CPE)range: < 9.16.42-150500.8.3.1
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.16.42-150400.5.27.1
- (no CPE)range: < 9.16.42-150500.8.3.1
- (no CPE)range: < 9.16.42-150400.5.27.1
- (no CPE)range: < 9.16.42-150500.8.3.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.9.9P1-63.40.1
- (no CPE)range: < 9.11.22-3.46.4
- (no CPE)range: < 9.11.22-3.46.4
- (no CPE)range: < 9.11.22-3.46.4
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.11.22-3.46.4
- (no CPE)range: < 9.11.22-3.46.4
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.11.22-3.46.4
- (no CPE)range: < 9.16.6-150000.12.68.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.16.6-150300.22.30.1
- (no CPE)range: < 9.11.22-3.46.4
- (no CPE)range: < 9.11.22-3.46.4
- ISC/BIND 9v5Range: 9.11.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- kb.isc.org/docs/cve-2023-2828mitrevendor-advisory
- www.openwall.com/lists/oss-security/2023/06/21/6mitre
- lists.debian.org/debian-lts-announce/2023/07/msg00021.htmlmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEFCEVCTYEMKTWA7V7EYPI5YQQ4JWDLI/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3K6AJK7RRSR53HRF5GGKPA6PDUDWOD2/mitre
- security.netapp.com/advisory/ntap-20230703-0010/mitre
- www.debian.org/security/2023/dsa-5439mitre
News mentions
0No linked articles in our index yet.