Denial of service in Oracle products - CVE-2016-8864
Published: November 1, 2016 / Updated: January 11, 2017
Vulnerability identifier: #VU1132
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-8864
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ISC
Oracle
Oracle
Affected software:
ISC BIND
Oracle Solaris
Oracle Linux
Oracle VM Server for x86
ISC BIND
Oracle Solaris
Oracle Linux
Oracle VM Server for x86
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to imptoper input validation. By returning a recursive response containing a specially crafted DNAME answer, a remote attacker can trigger a flaw in 'db.c' or 'resolver.c' and cause the target resolver to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
The weakness is due to imptoper input validation. By returning a recursive response containing a specially crafted DNAME answer, a remote attacker can trigger a flaw in 'db.c' or 'resolver.c' and cause the target resolver to crash.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
How to mitigate CVE-2016-8864
Update to version 9.9.9-P4, 9.10.4-P4, 9.11.0-P1.