Upstream information

CVE-2017-15091 at MITRE

Description

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly keyword. This missing check allows an attacker with valid API credentials to flush the cache, trigger a zone transfer or send a NOTIFY.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5.5
Vector AV:N/AC:L/Au:S/C:N/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact None
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 1069242 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.2
  • pdns >= 3.4.9-5.3.1
  • pdns-backend-ldap >= 3.4.9-5.3.1
  • pdns-backend-ldap-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-lua >= 3.4.9-5.3.1
  • pdns-backend-lua-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-mydns >= 3.4.9-5.3.1
  • pdns-backend-mydns-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-mysql >= 3.4.9-5.3.1
  • pdns-backend-mysql-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-postgresql >= 3.4.9-5.3.1
  • pdns-backend-postgresql-debuginfo >= 3.4.9-5.3.1
  • pdns-backend-sqlite3 >= 3.4.9-5.3.1
  • pdns-backend-sqlite3-debuginfo >= 3.4.9-5.3.1
  • pdns-debuginfo >= 3.4.9-5.3.1
  • pdns-debugsource >= 3.4.9-5.3.1
Patchnames:
openSUSE-2017-1340
openSUSE Leap 42.3
  • pdns >= 4.0.3-9.1
  • pdns-backend-geoip >= 4.0.3-9.1
  • pdns-backend-geoip-debuginfo >= 4.0.3-9.1
  • pdns-backend-godbc >= 4.0.3-9.1
  • pdns-backend-godbc-debuginfo >= 4.0.3-9.1
  • pdns-backend-ldap >= 4.0.3-9.1
  • pdns-backend-ldap-debuginfo >= 4.0.3-9.1
  • pdns-backend-lua >= 4.0.3-9.1
  • pdns-backend-lua-debuginfo >= 4.0.3-9.1
  • pdns-backend-mydns >= 4.0.3-9.1
  • pdns-backend-mydns-debuginfo >= 4.0.3-9.1
  • pdns-backend-mysql >= 4.0.3-9.1
  • pdns-backend-mysql-debuginfo >= 4.0.3-9.1
  • pdns-backend-postgresql >= 4.0.3-9.1
  • pdns-backend-postgresql-debuginfo >= 4.0.3-9.1
  • pdns-backend-remote >= 4.0.3-9.1
  • pdns-backend-remote-debuginfo >= 4.0.3-9.1
  • pdns-backend-sqlite3 >= 4.0.3-9.1
  • pdns-backend-sqlite3-debuginfo >= 4.0.3-9.1
  • pdns-debuginfo >= 4.0.3-9.1
  • pdns-debugsource >= 4.0.3-9.1
Patchnames:
openSUSE-2017-1340