GHSA-676x-f7gg-47vcHighCVSS 8.7
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
🔗 CVE IDs covered (1)
📋 Description
Summary
Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.
Details
In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.
According to https://datatracker.ietf.org/doc/html/rfc5452#section-6
Care must be taken to only accept
data if it is known that the originator is authoritative for the
QNAME or a parent of the QNAME.
One very simple way to achieve this is to only accept data if it is
part of the domain for which the query was intended.
Impact
DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.
🎯 Affected products2
- maven/io.netty:netty-resolver-dns:>= 4.2.0.Final, <= 4.2.14.Final
- maven/io.netty:netty-resolver-dns:<= 4.1.134.Final