IBM Support

SI55866 - OSP-DNS Fix for CVE-2014-8500: A Defect in Delegation Handl

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-DNS Fix for CVE-2014-8500: A Defect in Delegation Handl


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
NONE



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.


APAR Error Description / Circumvention

-------------------------------------------------
On DECEMBER 8th, ISC publicly announced CVE-2014-8500 in BIND.
CVE-2014-8500, a critical vulnerability in delegation handling,
affecting all versions of BIND 9.
https://kb.isc.org/article/AA-01216
http://xforce.iss.net/xforce/xfdb/99187

CORRECTION FOR APAR 'SE60980' :
-------------------------------
ISC has provided a fix for CVE-2014-8500, and we'll port the fix
to V6R1, V7R1 and V7R2.

Change log:
---------------------------
A flaw in delegation handling could be exploited to put named
into an infinite loop. This has been addressed by placing limits
on the number of levels of recursion named will allow (default
7), and the number of iterative queries that it will send
(default 200) before terminating a recursive query
(CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option, and the query limit via the
"max-recursion-queries" option.
---------------------------
Option explanation:
max-recursion-depth
Sets the maximum number of levels of recursion that are
permitted at any one time while servicing a recursive query.
Resolving a name may require looking up a name server address,
which in turn requires resolving another name, etc; if the
number of indirections exceeds this value, the recursive query
is terminated and returns SERVFAIL.  The default is 7.
max-recursion-queries
Sets the maximum number of iterative queries that may be
sent while servicing a recursive query. If more queries are
sent, the recursive query is terminated and returns SERVFAIL.
The default is 200.

Additional notes:
1. These two new options are not supported by current iNavigator
or web based Navigator for i. If customer wants to change the
default value, they have to edit the named.conf directly and add
customized configuration into global option section. Invalid
option error for the new options may be reported by iNavigator
or Navigator for i, and the new options may be removed when
saving configuration.
2. A minor issue of this fix has been discovered. If server's
cache is empty, queries for some domain names may fail at first,
but succeed after a few minutes. This issue is caused by the
queries required to resolve the domain name is exceeding the
value of "max-recursion-queries" option. We have changed the
default value of "max-recursion-queries" option from original 50
to 200 to decrease the possibility of encountering this issue.

CIRCUMVENTION FOR APAR 'SE60980' :
----------------------------------
None.


Activation Instructions


None.




Special Instructions


END DOMAIN NAME SERVERS ON THE SYSTEM
EXAMPLE: ENDTCPSVR SERVER(*DNS) DNSSVR(*ALL)
THEN APPLY THE PTF
START DOMAIN NAME SERVER AGAIN
EXAMPLE: STRTCPSVR SERVER(*DNS) DNSSVR(<DNS_NAME>)


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI52362      OSP-DNS- ENDTCPSVR *DNS COMMAND SHOWS MSG TCP1A17 EVEN WITH
   SI52362      OSP Several DNS bug fixes
   SI51568      DNS - Fixes for DNS security vulnerabilities (CVE fixes)

Summary Information

System.............................. i
Models..............................
Release............................. V7R2M0
Licensed Program............... 5770SS1
APAR Fixed.......................... SE60980
Superseded by:...................... View fix details for PTF SI70732
Recompile........................... N
Library............................. QDNS
MRI Feature ........................ NONE
Cum Level........................... C5135720


IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R2M0

Operating system(s): OS/400

Reference #: SI55866

Modified date: 04 February 2015