DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks
Description
Published to the GitHub Advisory Database
Jul 22, 2024
Reviewed
Jul 22, 2024
Last updated
Nov 18, 2024
Impact
Users using the
ValidatingResolver
for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
https://www.athene-center.de/en/keytrap
References