Allocation of Resources Without Limits or Throttling
CVE-2023-50387
Summary
DNSJava is vulnerable to KeyTrap, a Denial-of-Service algorithmic complexity attack. Users using the 'ValidatingResolver' for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. This vulnerability, known as the "KeyTrap" issue, arises from certain aspects of the DNSSEC protocol specified in RFC 4033, 4034, 4035, 6840, and related RFCs. The issue is particularly problematic in zones containing numerous DNSKEY and RRSIG records, where the protocol mandates the evaluation of all combinations of these records. This vulnerability affects DNSJava versions prior to 3.6.0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- REQUIRED
- NONE
- NONE
- HIGH
CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
References
Advisory Timeline
- Published