Strix
26.1K

CVE-2019-6477

HIGHCVSS 7.5/10EPSS 4.02%

Last modified

CVE-2019-6477 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. EPSS estimates a 4.02% chance of exploitation in the next 30 days.

Description

With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
4.02%

89.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
IscBind>= 9.11.7, <= 9.11.12
IscBind>= 9.14.1, <= 9.14.7
IscBind>= 9.15.0, <= 9.15.5
IscBind9.11.5S6
IscBind9.11.6P1
IscBind9.11.12S1
IscBind9.12.4P1
FedoraprojectFedora30
FedoraprojectFedora31

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-6477?
With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache. (This is most likely to be perceived as an intermittent server problem).
How severe is CVE-2019-6477?
CVE-2019-6477 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 4.02% probability of exploitation in the next 30 days.
How do I fix CVE-2019-6477?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-6477?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST