• Print
  • Share
  • Dark
    Light

BIND 9 Security Vulnerability Matrix

  • Updated on 22 Oct 2018
  • 8 minutes to read
  • Contributors

The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts:

  • The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org. The third column is a short description of the vulnerability, linked (where possible) to the article in this Knowledgebase on the vulnerability.
  • The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top. If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it. If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

For example, if you use the top table to look up CVE-2017-3140, you will see that it cross references to #88. You can look for column #88 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.11.1 you would know to upgrade.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

Vulnerability information for EOL (End of Life) versions of BIND 9 (9.0 through 9.8) and below are included only for vulnerabilities discovered before (or in some cases shortly after) the EOL date. These versions are all known to be affected by some vulnerabilities discovered after their EOL date.

Using obsolete versions of BIND
We recommend that you not use obsolete versions of any ISC software; it was updated for a reason. Listings of vulnerabilities affecting obsolete versions of BIND have been split into articles grouped by branch: 9.0, 9.1, 9.2, 9.3, 9.4/9.4‑ESV, 9.5, 9.6/9.6‑ESV, 9.7, 9.8, 9.9, 9.9‑S, 9.10, and 9.10‑S.

Listing of Vulnerabilities affecting current branches of BIND

# CVE Number Short Description
98 2018-5741 Update policies krb5-subdomain and ms-subdomain do not enforce controls promised in their documentation
97 2018-5740 A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named
96 2018-5738 Some versions of BIND can improperly permit recursive query service to unauthorized clients
95 2018-5737 BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled
94 2018-5736 Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c
93 2018-5734 A malformed request can trigger an assertion failure in badcache.c
92 2017-3145 Improper fetch cleanup sequencing in the resolver can cause named to crash
91 2017-3143 An error in TSIG handling can permit unauthorized dynamic updates
90 2017-3142 An error in TSIG handling can permit unauthorized zone transfers
89 2017-3141 Windows service and uninstall paths are not quoted when BIND is installed
88 2017-3140 An error processing RPZ rules can cause named to loop endlessly after handling a query
87 2017-3139 [Red Hat] assertion failure in DNSSEC validation
86 2017-3138 named exits with a REQUIRE assertion failure if it receives a null command string on its control channel
85 2017-3137 A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME
84 2017-3136 An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"
83 2017-3135 Combination of DNS64 and RPZ Can Lead to Crash
82 2016-9778 An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c
81 2016-9444 An unusually-formed DS record response could cause an assertion failure
80 2016-9147 An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure
79 2016-9131 A malformed response to an ANY query can cause an assertion failure during recursion
78 2016-8864 A problem handling responses containing a DNAME answer can lead to an assertion failure

Why don't the reference numbers begin at 1?
Our reference numbering started with BIND 8. We have since separated the information for BIND 8 and also obsolete branches of BIND 9. To reduce the possibility of confusion when referring to the individual pages we have chosen to maintain uniform numbering across all of them matching the historic numbering, including gaps where some reports affected only BIND 8. As major branches of BIND have reached EOL (End of Life), the lowest numbered vulnerability affecting our current versions has increased. Issues only affecting obsolete branches of BIND have been moved to a separate section later in this KB.

BIND 9.13

ver/CVE 97 98
9.13.3
9.13.2 + +
9.13.1 + +
9.13.0 + +

BIND 9.12

ver/CVE 93 94 95 96 97 98
9.12.2-P2
9.12.2-P1 +
9.12.2 + +
9.12.1-P2 + + +
9.12.1 + + + + +
9.12.0 + + + + +

BIND 9.11

ver/CVE 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
9.11.4-P2
9.11.4-P1 +
9.11.4 + +
9.11.3 + + +
9.11.2-P1 + +
9.11.2 + + +
9.11.1-P2 + + +
9.11.1-P1 + + + + +
9.11.1 + + + + + + +
9.11.0-P5 + + + + + + +
9.11.0-P4 + + + + + + + +
9.11.0-P3 + + + + + + + + + +
9.11.0-P2 + + + + + + + + + +
9.11.0-P1 + + + + + + + + + + + + + +
9.11.0 + + + + + + + + + + + + + +

BIND 9.11 Supported Preview edition

If you'd like more information on our product support or about our BIND Subscription version, please visit https://www.isc.org/bind-subscription-2/.

ver/CVE 94 95 96 97 98
9.11.4-S1
9.11.3-S3 +
9.11.3-S2 + + +
9.11.3-S1 + + +
Problems with this site? Email us at marketing@isc.org