Denial of service in Oracle products - CVE-2016-2848
Published: October 20, 2016 / Updated: January 11, 2017
Vulnerability identifier: #VU1043
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-2848
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ISC
Oracle
Oracle
Affected software:
ISC BIND
Oracle VM Server for x86
Oracle Linux
ISC BIND
Oracle VM Server for x86
Oracle Linux
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to perform DoS attack on the targete system.
The weakness is due to insuffcient handling of options data in an OPT resource record. By sending a specially crafted DNS packet, attackers can trigger the named service to crash.
Successful exploitation of the vulnerability leads to denial of service on the vulnarable system.
The weakness is due to insuffcient handling of options data in an OPT resource record. By sending a specially crafted DNS packet, attackers can trigger the named service to crash.
Successful exploitation of the vulnerability leads to denial of service on the vulnarable system.
How to mitigate CVE-2016-2848
Update to version 9.9.9-P3, 9.10.4-P3 or 9.11.0.