Skip to main content

Allocation of Resources Without Limits or Throttling

CVE-2023-50387

Severity Medium
Score 6.5/10

Summary

DNSJava is vulnerable to KeyTrap, a Denial-of-Service algorithmic complexity attack. Users using the 'ValidatingResolver' for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. This vulnerability, known as the "KeyTrap" issue, arises from certain aspects of the DNSSEC protocol specified in RFC 4033, 4034, 4035, 6840, and related RFCs. The issue is particularly problematic in zones containing numerous DNSKEY and RRSIG records, where the protocol mandates the evaluation of all combinations of these records. This vulnerability affects DNSJava versions prior to 3.6.0.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • REQUIRED
  • NONE
  • NONE
  • HIGH

CWE-770 - Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Advisory Timeline

  • Published