Headline
GHSA-crjg-w57m-rqqf: DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks
Impact
Users using the ValidatingResolver
for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.
Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
https://www.athene-center.de/en/keytrap
Package
maven dnsjava:dnsjava (Maven)
Affected versions
< 3.6.0
Patched versions
3.6.0
Description
Impact
Users using the ValidatingResolver for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.
Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
https://www.athene-center.de/en/keytrap
References
- GHSA-crjg-w57m-rqqf
- dnsjava/dnsjava@07ac36a
- dnsjava/dnsjava@3ddc45c
ibauersachs published to dnsjava/dnsjava
Jul 21, 2024
Published to the GitHub Advisory Database
Jul 22, 2024
Reviewed
Jul 22, 2024
Last updated
Jul 22, 2024