Headline
RHSA-2023:2370: Red Hat Security Advisory: unbound security update
An update for unbound is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-3204: A vulnerability was found in unbound. The attack can cause a resolver to spend a lot of time and resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. This issue can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, leading to degraded performance and, eventually, a denial of service in orchestrated attacks.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-05-09
Updated:
2023-05-09
RHSA-2023:2370 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: unbound security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for unbound is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
Security Fix(es):
- unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack) (CVE-2022-3204)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for x86_64 9 x86_64
- Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
- Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
Fixes
- BZ - 2128947 - CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack)
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
unbound-1.16.2-3.el9.src.rpm
SHA-256: 064975229eaf9b4d86db4eb4a2d4440dd6fea12898befb699389162e3a68b284
x86_64
python3-unbound-1.16.2-3.el9.x86_64.rpm
SHA-256: d23bfe8dc417d79a25e075be951ae7ecddda26baeba0ac990744b9990dc7af8f
python3-unbound-debuginfo-1.16.2-3.el9.i686.rpm
SHA-256: 594e2252c675ede06ba8005a456497abadc2368edbdf712843a91808f1b9c779
python3-unbound-debuginfo-1.16.2-3.el9.x86_64.rpm
SHA-256: 2a7ff03a467f4544bcef0f3b359e844ab1f45e965b59e5d49767fdfe8b6390e7
unbound-1.16.2-3.el9.x86_64.rpm
SHA-256: 076f24f2472432b0cc7494fd2d130e08827cc062805ee162f6033a0dc1ca9e4b
unbound-debuginfo-1.16.2-3.el9.i686.rpm
SHA-256: e30043a055832ec9d1008e804468db60b7e35304008ccbb0f8cba12306db527f
unbound-debuginfo-1.16.2-3.el9.x86_64.rpm
SHA-256: b50e7661f7dd74a4da7e1855135da9c9497897fb4e2481b721736fa8a8e2bd31
unbound-debugsource-1.16.2-3.el9.i686.rpm
SHA-256: 4d552b178ec0fca309a87197ac6d2d21250c6805c56e19b9084d35f62256d283
unbound-debugsource-1.16.2-3.el9.x86_64.rpm
SHA-256: 5ff9b754357f1e0a062396c8b7442e58a6194c02e1d11390d3dda3efcc04ff98
unbound-libs-1.16.2-3.el9.i686.rpm
SHA-256: 20391fe14e449a14c0c18c7c19e7829264d3bc4b0986cced754ae55bab393f6b
unbound-libs-1.16.2-3.el9.x86_64.rpm
SHA-256: a7665af88aa953170f7c1b68a25b29be3752f710752240715f7caed6116bc687
unbound-libs-debuginfo-1.16.2-3.el9.i686.rpm
SHA-256: 33330ada498d45c047dd5b1fd03e6974f17629c530c2169d88e7dfc5ae8bfa3b
unbound-libs-debuginfo-1.16.2-3.el9.x86_64.rpm
SHA-256: a89ff416a2db9eb544b38f349459c4c4f4dde412eda9e9570518f966ac8157b1
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
unbound-1.16.2-3.el9.src.rpm
SHA-256: 064975229eaf9b4d86db4eb4a2d4440dd6fea12898befb699389162e3a68b284
s390x
python3-unbound-1.16.2-3.el9.s390x.rpm
SHA-256: 9fb67cbbb8494cae32e30f048b745a1d0b9758bc6e1c187fce3f14586db5f678
python3-unbound-debuginfo-1.16.2-3.el9.s390x.rpm
SHA-256: bf8718d8393f6a542be0ff0c11e87c84e46d92ec2e4b83b98e08928ada166e41
unbound-1.16.2-3.el9.s390x.rpm
SHA-256: fb8a009eb57543cc3765ac76eca319281104fe16193efb3bdfd35a692754bf11
unbound-debuginfo-1.16.2-3.el9.s390x.rpm
SHA-256: 0db91f5b957e68e524fa1c90034cc085e0f10b0156ccf69ce42100d10bd19cf7
unbound-debugsource-1.16.2-3.el9.s390x.rpm
SHA-256: 626eda4b77e4f965b834d90ea1776335ed66d36a886e25e9d367c5ed69899ef8
unbound-libs-1.16.2-3.el9.s390x.rpm
SHA-256: 197d92ec195865f3d87b8ce30653981a3ccef960ec2134332feef4cb8a0b1273
unbound-libs-debuginfo-1.16.2-3.el9.s390x.rpm
SHA-256: ed2a30016f3801d3a67fb17d08de8519c6dd401f49e75595e75e92c51feff09c
Red Hat Enterprise Linux for Power, little endian 9
SRPM
unbound-1.16.2-3.el9.src.rpm
SHA-256: 064975229eaf9b4d86db4eb4a2d4440dd6fea12898befb699389162e3a68b284
ppc64le
python3-unbound-1.16.2-3.el9.ppc64le.rpm
SHA-256: 5acb02d76fde722f0af8c0a732943df52d41201e3a78547ab9579b93812755b0
python3-unbound-debuginfo-1.16.2-3.el9.ppc64le.rpm
SHA-256: 7addddef1eb2c532f66f60a50f12edc8ac02ce9a24bb1a5f13e51ceceec62ea8
unbound-1.16.2-3.el9.ppc64le.rpm
SHA-256: 4af4cacbcfaf41f20f59bc68750becd59541a57f6339cce5eeeddbf5c2b557d7
unbound-debuginfo-1.16.2-3.el9.ppc64le.rpm
SHA-256: c83fd5f706fd27e7af85ef86a6335ba2405de59691fbd3f50d8fb6f1e83826e1
unbound-debugsource-1.16.2-3.el9.ppc64le.rpm
SHA-256: c3e5bf7e990e30c2e9dc4af15f3a6d7396c43bc98993803691ce9efa2a539bbd
unbound-libs-1.16.2-3.el9.ppc64le.rpm
SHA-256: 950315efa5e0dc8cce7ec01bc264b6e1a8447ad5816b7dca79acf15f8b39cf98
unbound-libs-debuginfo-1.16.2-3.el9.ppc64le.rpm
SHA-256: d5cb3a400c6b6181f0701312aa361f88aaf16d38d0cd206125a6b4d266400ba0
Red Hat Enterprise Linux for ARM 64 9
SRPM
unbound-1.16.2-3.el9.src.rpm
SHA-256: 064975229eaf9b4d86db4eb4a2d4440dd6fea12898befb699389162e3a68b284
aarch64
python3-unbound-1.16.2-3.el9.aarch64.rpm
SHA-256: 635d0956a43870a5f5c20c0ea5422492d5b22efd8a6728e85fee32b9666ac40d
python3-unbound-debuginfo-1.16.2-3.el9.aarch64.rpm
SHA-256: f4fa290f9da3927358d664fbf72e3507a8f58ea2739c253cbb1924f01687c77a
unbound-1.16.2-3.el9.aarch64.rpm
SHA-256: ac552fbc3d491ea0a7a8b9b99b61d63b9190d38117ba7e4b64fc3039d7039787
unbound-debuginfo-1.16.2-3.el9.aarch64.rpm
SHA-256: 300fb24b862be99ea76383e50801da307b17ab7fcc2636aee78fc379c1f7cbd3
unbound-debugsource-1.16.2-3.el9.aarch64.rpm
SHA-256: caf4b84d371539f9899ea24ea5f45347d9c7965d2ed7bc1fba83f6b18e31a5c7
unbound-libs-1.16.2-3.el9.aarch64.rpm
SHA-256: 4f25a365a844dce5fbaa009b642ce731ac8ea7652b9a66ea86d058e2f2c4585e
unbound-libs-debuginfo-1.16.2-3.el9.aarch64.rpm
SHA-256: 774368441be49960e07c55920f33ec11007fddc5b5756215897e0a1bc0201f3f
Red Hat CodeReady Linux Builder for x86_64 9
SRPM
x86_64
python3-unbound-debuginfo-1.16.2-3.el9.i686.rpm
SHA-256: 594e2252c675ede06ba8005a456497abadc2368edbdf712843a91808f1b9c779
python3-unbound-debuginfo-1.16.2-3.el9.x86_64.rpm
SHA-256: 2a7ff03a467f4544bcef0f3b359e844ab1f45e965b59e5d49767fdfe8b6390e7
unbound-debuginfo-1.16.2-3.el9.i686.rpm
SHA-256: e30043a055832ec9d1008e804468db60b7e35304008ccbb0f8cba12306db527f
unbound-debuginfo-1.16.2-3.el9.x86_64.rpm
SHA-256: b50e7661f7dd74a4da7e1855135da9c9497897fb4e2481b721736fa8a8e2bd31
unbound-debugsource-1.16.2-3.el9.i686.rpm
SHA-256: 4d552b178ec0fca309a87197ac6d2d21250c6805c56e19b9084d35f62256d283
unbound-debugsource-1.16.2-3.el9.x86_64.rpm
SHA-256: 5ff9b754357f1e0a062396c8b7442e58a6194c02e1d11390d3dda3efcc04ff98
unbound-devel-1.16.2-3.el9.i686.rpm
SHA-256: 70e9c6d1c9690130e007a9326a1870f3af279dd8438f78d1464516e14a5c2531
unbound-devel-1.16.2-3.el9.x86_64.rpm
SHA-256: af0460e6a3dba137a5ebdbf136ec81cad5a1e08cb728c361357ca0939a85340c
unbound-libs-debuginfo-1.16.2-3.el9.i686.rpm
SHA-256: 33330ada498d45c047dd5b1fd03e6974f17629c530c2169d88e7dfc5ae8bfa3b
unbound-libs-debuginfo-1.16.2-3.el9.x86_64.rpm
SHA-256: a89ff416a2db9eb544b38f349459c4c4f4dde412eda9e9570518f966ac8157b1
Red Hat CodeReady Linux Builder for Power, little endian 9
SRPM
ppc64le
python3-unbound-debuginfo-1.16.2-3.el9.ppc64le.rpm
SHA-256: 7addddef1eb2c532f66f60a50f12edc8ac02ce9a24bb1a5f13e51ceceec62ea8
unbound-debuginfo-1.16.2-3.el9.ppc64le.rpm
SHA-256: c83fd5f706fd27e7af85ef86a6335ba2405de59691fbd3f50d8fb6f1e83826e1
unbound-debugsource-1.16.2-3.el9.ppc64le.rpm
SHA-256: c3e5bf7e990e30c2e9dc4af15f3a6d7396c43bc98993803691ce9efa2a539bbd
unbound-devel-1.16.2-3.el9.ppc64le.rpm
SHA-256: 21131d48f3e7ed05949cafd7323ceb490c105b34b1ed443fd0e70a1399c93472
unbound-libs-debuginfo-1.16.2-3.el9.ppc64le.rpm
SHA-256: d5cb3a400c6b6181f0701312aa361f88aaf16d38d0cd206125a6b4d266400ba0
Red Hat CodeReady Linux Builder for ARM 64 9
SRPM
aarch64
python3-unbound-debuginfo-1.16.2-3.el9.aarch64.rpm
SHA-256: f4fa290f9da3927358d664fbf72e3507a8f58ea2739c253cbb1924f01687c77a
unbound-debuginfo-1.16.2-3.el9.aarch64.rpm
SHA-256: 300fb24b862be99ea76383e50801da307b17ab7fcc2636aee78fc379c1f7cbd3
unbound-debugsource-1.16.2-3.el9.aarch64.rpm
SHA-256: caf4b84d371539f9899ea24ea5f45347d9c7965d2ed7bc1fba83f6b18e31a5c7
unbound-devel-1.16.2-3.el9.aarch64.rpm
SHA-256: cae0496ee22489393c09587b7433b6c3f61a9b42349439f5dd0b8eb447d707e7
unbound-libs-debuginfo-1.16.2-3.el9.aarch64.rpm
SHA-256: 774368441be49960e07c55920f33ec11007fddc5b5756215897e0a1bc0201f3f
Red Hat CodeReady Linux Builder for IBM z Systems 9
SRPM
s390x
python3-unbound-debuginfo-1.16.2-3.el9.s390x.rpm
SHA-256: bf8718d8393f6a542be0ff0c11e87c84e46d92ec2e4b83b98e08928ada166e41
unbound-debuginfo-1.16.2-3.el9.s390x.rpm
SHA-256: 0db91f5b957e68e524fa1c90034cc085e0f10b0156ccf69ce42100d10bd19cf7
unbound-debugsource-1.16.2-3.el9.s390x.rpm
SHA-256: 626eda4b77e4f965b834d90ea1776335ed66d36a886e25e9d367c5ed69899ef8
unbound-devel-1.16.2-3.el9.s390x.rpm
SHA-256: 1db62dc8a56a4dcf138d6ae0693c950f182aa0b7ce7d049a04a01e3e72c562d1
unbound-libs-debuginfo-1.16.2-3.el9.s390x.rpm
SHA-256: ed2a30016f3801d3a67fb17d08de8519c6dd401f49e75595e75e92c51feff09c
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-2045-03 - An update for unbound is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Red Hat Security Advisory 2023-3644-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat OpenShift Service Mesh Containers for 2.4.0 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Red Hat Security Advisory 2023-3356-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.9 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.
Red Hat Security Advisory 2023-2771-01 - The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
An update for unbound is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3204: A vulnerability was found in unbound. The attack can cause a resolver to spend a lot of time and resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. This issue can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS reco...
Red Hat Security Advisory 2023-2370-01 - The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.
Gentoo Linux Security Advisory 202212-2 - Multiple vulnerabilities have been discovered in Unbound, the worst of which could result in denial of service. Versions less than 1.16.3 are affected.
Ubuntu Security Notice 5732-1 - It was discovered that Unbound incorrectly handled delegations with a large number of non-responsive nameservers. A remote attacker could possibly use this issue to cause Unbound to consume resources, leading to a denial of service.
A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the atta...