VDB
KO
HIGH 8.7

GHSA-676x-f7gg-47vc

Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records

Details

### Summary Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.

### Details In `io.netty.resolver.dns.DnsResolveContext#buildAliasMap`, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.

According to https://datatracker.ietf.org/doc/html/rfc5452#section-6

``` Care must be taken to only accept data if it is known that the originator is authoritative for the QNAME or a parent of the QNAME. One very simple way to achieve this is to only accept data if it is part of the domain for which the query was intended. ```

### Impact DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.netty:netty-resolver-dns
Introduced in: 4.2.0.Final Fixed in: 4.2.15.Final
Fix # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-resolver-dns
Maven / io.netty:netty-resolver-dns
Introduced in: 0 Fixed in: 4.1.135.Final
Fix # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-resolver-dns

References