CVE-2023-50868

Description

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.

How to fix CVE-2023-50868

To remediate CVE-2023-50868, upgrade the affected package to a fixed version below.

• —upgrade to 9.16.48-r0 or later
• —upgrade to 2.90-r0 or later
• —upgrade to 1.19.1-r0 or later
• —upgrade to 1:9.16.48-1 or later
• —no fix listed
• —upgrade to 2.85-1+deb11u1 or later
• —no fix listed
• —no fix listed
• —upgrade to 247.3-7+deb11u6 or later
• —upgrade to 1.13.1-1+deb11u2 or later

Is CVE-2023-50868 being exploited?

Moderate — EPSS is 12.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (10)

• from 0, < 9.16.48-r0
• from 0, < 2.90-r0
• from 0, < 1.19.1-r0
• from 0, < 1:9.16.48-1
• from 0
• from 0, < 2.85-1+deb11u1
• from 0
• from 0
• from 0, < 247.3-7+deb11u6
• from 0, < 1.13.1-1+deb11u2

CVSS scores

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-50868
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-50868