CVE-2017-3145

Improper fetch cleanup sequencing in the resolver can cause named to crash

Description

BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1.

Remediation

Solution:

  • Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.11-P1 BIND 9 version 9.10.6-P1 BIND 9 version 9.11.2-P1 BIND 9 version 9.12.0rc2 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.11-S2 BIND 9 version 9.10.6-S2

Workaround:

  • If an operator is experiencing crashes due to this, temporarily disabling DNSSEC validation can be used to avoid the known problematic code path while replacement builds are prepared.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 3.0 •
CVSS 2.0 •
EPSS 12.11% Top 10%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory debian.org Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory juniper.net Vendor Advisory isc.org
Affected: ISC BIND 9
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHSA-2018:0102 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:0487 third party advisory vendor advisory
https://www.debian.org/security/2018/dsa-4089 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:0488 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2018:0101 third party advisory vendor advisory
http://www.securitytracker.com/id/1040195 broken link third party advisory vdb entry
https://kb.isc.org/docs/aa-01542 vendor advisory
http://www.securityfocus.com/bid/102716 broken link third party advisory vdb entry
https://lists.debian.org/debian-lts-announce/2018/01/msg00029.html third party advisory mailing list
https://security.netapp.com/advisory/ntap-20180117-0003/ third party advisory
https://supportportal.juniper.net/s/article/2018-07-Security-Bulletin-SRX-Series-Vulnerabilities-in-ISC-BIND-named third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2017-3145?
CVE-2017-3145 has been scored as a high severity vulnerability.
How to fix CVE-2017-3145?
To fix CVE-2017-3145: Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.11-P1 BIND 9 version 9.10.6-P1 BIND 9 version 9.11.2-P1 BIND 9 version 9.12.0rc2 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. BIND 9 version 9.9.11-S2 BIND 9 version 9.10.6-S2
Is CVE-2017-3145 being actively exploited in the wild?
It is possible that CVE-2017-3145 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~12% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2017-3145?
CVE-2017-3145 affects ISC BIND 9.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.