CVE-2018-5738

一、漏洞信息
 漏洞编号：[CVE-2018-5738](https://nvd.nist.gov/vuln/detail/CVE-2018-5738)
 漏洞归属组件：[bind](https://gitee.com/src-openeuler/bind)
 漏洞归属的版本：9.11.21,9.11.4,9.18.21
 CVSS V3.0分值：
  BaseScore：7.5 High
  Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 漏洞简述：
  Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the  allow-recursion  setting, it SHOULD default to one of the following: none, if  recursion no;  is set in named.conf; a value inherited from the  allow-query-cache  or  allow-query  settings IF  recursion yes;  (the default for that setting) AND match lists are explicitly set for  allow-query-cache  or  allow-query  (see the BIND9 Administrative Reference Manual section 6.2 for more details); or the intended default of  allow-recursion {localhost; localnets;};  if  recursion yes;  is in effect and no values are explicitly set for  allow-query-cache  or  allow-query . However, because of the regression introduced by change #4777, it is possible when  recursion yes;  is in effect and no match list values are provided for  allow-query-cache  or  allow-query  for the setting of  allow-recursion  to inherit a setting of all hosts from the  allow-query  setting default, improperly permitting recursion to all clients. Affects BIND 9.9.12, 9.10.7, 9.11.3, 9.12.0->9.12.1-P2, the development release 9.13.0, and also releases 9.9.12-S1, 9.10.7-S1, 9.11.3-S1, and 9.11.3-S2 from BIND 9 Supported Preview Edition.
 漏洞公开时间：2019-01-17 04:29
 漏洞创建时间：2021-01-05 02:08:54
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2018-5738
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| CONFIRM | https://kb.isc.org/docs/aa-01616 |  |
| UBUNTU | https://usn.ubuntu.com/3683-1/ |  |
| SECTRACK | http://www.securitytracker.com/id/1041115 |  |
| GENTOO | https://security.gentoo.org/glsa/201903-13 |  |
| CONFIRM | https://security.netapp.com/advisory/ntap-20190830-0002/ |  |
| redhat | https://access.redhat.com/security/cve/CVE-2018-5738 |  |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

无
</details>

二、漏洞分析结构反馈
 影响性分析说明：
  该漏洞只影响9.11.3-S1和9.12开发分支，不影响openEuler各分支
 openEuler评分：
  7.5
 Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 受影响版本排查(受影响/不受影响)：
  1.master(9.18.21):不受影响
2.openEuler-20.03-LTS-SP4(9.11.21):不受影响
3.openEuler-22.03-LTS-SP1(9.16.23):不受影响
4.openEuler-22.03-LTS-SP3(9.16.23):不受影响
5.openEuler-22.03-LTS-SP4(9.16.23):不受影响
6.openEuler-24.03-LTS(9.18.21):不受影响
7.openEuler-24.03-LTS-Next(9.18.21):不受影响
8.openEuler-24.03-LTS-SP1:不受影响

修复是否涉及abi变化(是/否)：
  1.master(9.18.21):否
2.openEuler-20.03-LTS-SP4(9.11.21):否
3.openEuler-22.03-LTS-SP1(9.16.23):否
4.openEuler-22.03-LTS-SP3(9.16.23):否
5.openEuler-22.03-LTS-SP4(9.16.23):否
6.openEuler-24.03-LTS(9.18.21):否
7.openEuler-24.03-LTS-Next(9.18.21):否
8.openEuler-24.03-LTS-SP1:否

原因说明：
  1.master(9.18.21):
2.openEuler-20.03-LTS-SP4(9.11.21):
3.openEuler-22.03-LTS-SP1(9.16.23):
4.openEuler-22.03-LTS-SP3(9.16.23):
5.openEuler-22.03-LTS-SP4(9.16.23):
6.openEuler-24.03-LTS(9.18.21):
7.openEuler-24.03-LTS-Next(9.18.21):
8.openEuler-24.03-LTS-SP1:

src-openEuler/bind

Content Risk Flag

Comments (7)

src-openEuler/bind .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2018-5738

Comments (7)

Search

src-openEuler/bind