-@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022082209 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2022082302 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
--- /dev/null
+PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation
+========================================================================================================
+
+- CVE: CVE-2022-37428
+- Date: 23th of August 2022.
+- Affects: PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1
+- Not affected: PowerDNS Recursor 4.5.10, 4.6.3 and 4.7.2
+- Severity: Medium
+- Impact: Denial of service
+- Exploit: This problem can be triggered by a remote attacker with access to the recursor if protobuf logging is enabled
+- Risk of system compromise: None
+- Solution: Upgrade to patched version, disable protobuf logging of responses
+
+This issue only affects recursors which have protobuf logging enabled using the
+
+ protobufServer function with logResponses=true or
+
+ outgoingProtobufServer function with logResponses=true
+
+If either of these functions is used without specifying logResponses, its value is true.
+An attacker needs to have access to the recursor, i.e. the remote IP must be in the access control list.
+If an attacker queries a name that leads to an answer with specific properties, a protobuf message might be generated that causes an exception. The code does not handle this exception correctly, causing a denial of service.
projects / thirdparty / pdns.git / commitdiff
