BIND Vulnerability Matrix

The BIND Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND.

It has two parts:

  • The first part is a table listing all of the vulnerabilities covered by this page.  The first column is a reference number for use in the tables in the second part.  The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org.  The third column is a short description of the vulnerability, linked (where possible) to our Knowledge Base article on the vulnerability.
  • The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top.  If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it.  If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

For example, if you use the top table to look up CVE-2012-1667, you will see that it cross references to #46. You can look for column #46 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.8.3 you would know to upgrade.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

We do not recommend that you use any version not listed in one of these charts.

Vulnerability information for EOL (End of Life) versions of BIND 9 (including 9.7) are on this page, and BIND 8 is on this page.

Listing of Vulnerabilities

# CVE Number Short Description
30 2008-5077 DNSSEC issue with DSA and NSEC3DSA algorithms
31 2009-0696 Dynamic Update DoS attack
32 2009-4022 Cache Update From Additional Section
33 2010-0097 DNSSEC validation code could cause bogus NXDOMAIN responses
34 2010-0213 RRSIG query handling bug in BIND 9.7.1
35 2010-0218 Unexpected ACL Behavior in BIND 9.7.2
36 2010-3762 failure to handle bad signatures if multiple trust anchors configured
37 2010-3614 Key algorithm rollover bug in BIND 9
38 2010-3615 allow-query processed incorrectly
39 2010-3613 cache incorrectly allows an ncache entry and an RRSIG for the same type
40 2011-0414 Server lockup upon IXFR or DDNS update combined with high query rate
41 2011-1907 RRSIG queries can trigger server crash when using Response Policy Zones
42 2011-1910 Large RRSIG RRsets and negative caching can crash named
43 2011-2464 remote packet denial of service against authoritative and recursive servers
44 2011-2465 Remote crash with certain RPZ configurations
45 2011-4313 BIND 9 Resolver crashes after logging an error in query.c
46 2012-1667
47 2012-3817 Heavy DNSSEC validation load can cause a "bad cache" assertion failure
48 2012-3868 High TCP query load can trigger a memory leak
49 2012-4244 A specially crafted Resource Record could cause named to terminate
50 2012-5166 Specially crafted DNS data can cause a lockup in named
51 2012-5688 BIND 9 servers using DNS64 can be crashed by a crafted query
52 2012-5689 BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
53 2013-2266 A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named

BIND 9.9

ver/CVE 46 47 48 49 50 51 52 53
9.9.3b2                
9.9.3b1               +
9.9.2-P2             +  
9.9.2-P1             + +
9.9.2           + + +
9.9.1-P4           + + +
9.9.1-P3         + + + +
9.9.1-P2       + + + + +
9.9.1-P1   + + + + + + +
9.9.1 + + + + + + + +
9.9.0 + + + + + + + +

BIND 9.8

ver/CVE 41 42 43 44 45 46 47 48 49 50 51 52 53
9.8.5b2                          
9.8.5b1                         +
9.8.4-P2                       +  
9.8.4-P1                       + +
9.8.4                     + + +
9.8.3-P4                     + + +
9.8.3-P3                   + + + +
9.8.3-P2                 + + + + +
9.8.3-P1             +   + + + + +
9.8.3           + +   + + + + +
9.8.2           + +   + + + + +
9.8.1-P1           + +   + + + + +
9.8.1         + + +   + + + + +
9.8.0-P4         + + +   + + + + +
9.8.0-P3     +   + + +   + + + + +
9.8.0-P2     + + + + +   + + + + +
9.8.0-P1   + + + + + +   + + + + +
9.8.0 + + + + + + +   + + + + +

BIND 9.6

ver/CVE 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
9.6-ESV-R8                                                
9.6-ESV-R7-P4                                                
9.6-ESV-R7-P3                                         +      
9.6-ESV-R7-P2                                       + +      
9.6-ESV-R7-P1                                   +   + +      
9.6-ESV-R7                                 + +   + +      
9.6-ESV-R6                                 + +   + +      
9.6-ESV-R5-P1                                 + +   + +      
9.6-ESV-R5                               + + +   + +      
9.6-ESV-R4-P3                               + + +   + +      
9.6-ESV-R4-P2                           +   + + +   + +      
9.6-ESV-R4-P1                           +   + + +   + +      
9.6-ESV-R4                         + +   + + +   + +      
9.6-ESV-R3                         +     + + +   + +      
9.6-ESV-R2               +   +     +     + + +   + +      
9.6-ESV-R1               +   +           + + +   + +      
9.6-ESV               +   +           + +     + +      
9.6.3               +    +     +     + +     + +      
9.6.2-P3               +    +           + +     + +      
9.6.2-P2               +    +           + +     + +      
9.6.2-P1               +    +           + +     + +      
9.6.2               +    +           + +     + +      
9.6.1-P3               +    +           + +     + +      
9.6.1-P2               +    +           + +     + +      
9.6.1-P1     + +       +    +           + +     + +      
9.6.1   + + +       +    +           + +     + +      
9.6.0-P1   + + +       +    +           + +     + +      
9.6.0 + + + +       +    +           + +     + +      

 

Share this