一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

受影响版本排查(受影响/不受影响)：

1.master(2.89):

2.openEuler-20.03-LTS-SP1(2.82):

3.openEuler-20.03-LTS-SP4(2.82):

4.openEuler-22.03-LTS(2.86):

5.openEuler-22.03-LTS-Next(2.86):

6.openEuler-22.03-LTS-SP1(2.86):

7.openEuler-22.03-LTS-SP2(2.86):

8.openEuler-22.03-LTS-SP3(2.86):

修复是否涉及abi变化(是/否)：

1.master(2.89):

2.openEuler-20.03-LTS-SP1(2.82):

3.openEuler-20.03-LTS-SP4(2.82):

4.openEuler-22.03-LTS(2.86):

5.openEuler-22.03-LTS-Next(2.86):

6.openEuler-22.03-LTS-SP1(2.86):

7.openEuler-22.03-LTS-SP2(2.86):

8.openEuler-22.03-LTS-SP3(2.86):

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

| cve_search | | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html |

| mageia | | http://advisories.mageia.org/MGASA-2024-0038.html |

| osv | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.isc.org/blogs/2024-bind-security-release/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/2 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/3 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://access.redhat.com/security/cve/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://kb.isc.org/docs/cve-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39367411 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39372384 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/aktuelles/key-trap | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| cve_search | | https://datatracker.ietf.org/doc/html/rfc4035 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

| cve_search | | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html |

| mageia | | http://advisories.mageia.org/MGASA-2024-0038.html |

| osv | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.isc.org/blogs/2024-bind-security-release/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/2 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/3 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://access.redhat.com/security/cve/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://kb.isc.org/docs/cve-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39367411 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39372384 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/aktuelles/key-trap | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| cve_search | | https://datatracker.ietf.org/doc/html/rfc4035 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

修复是否涉及abi变化(是/否)：

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

| cve_search | | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html |

| mageia | | http://advisories.mageia.org/MGASA-2024-0038.html |

| osv | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.isc.org/blogs/2024-bind-security-release/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/2 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/3 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://access.redhat.com/security/cve/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://kb.isc.org/docs/cve-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39367411 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39372384 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/aktuelles/key-trap | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| cve_search | | https://datatracker.ietf.org/doc/html/rfc4035 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

即“KeyTrap”攻击，DNS协议（RFC 4033、4034、4035、6840等协议）的某些DNSSEC方面的协议缺陷，允许远程攻击者通过一个或多个DNSSEC响应发动Dos攻击，造成拒绝服务（CPU消耗）。

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

| cve_search | | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html |

| mageia | | http://advisories.mageia.org/MGASA-2024-0038.html |

| osv | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.isc.org/blogs/2024-bind-security-release/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/2 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/3 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://access.redhat.com/security/cve/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://kb.isc.org/docs/cve-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39367411 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39372384 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/aktuelles/key-trap | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

| cve_search | | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html |

| mageia | | http://advisories.mageia.org/MGASA-2024-0038.html |

| osv | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.isc.org/blogs/2024-bind-security-release/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/2 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/3 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://access.redhat.com/security/cve/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://kb.isc.org/docs/cve-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39367411 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39372384 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/aktuelles/key-trap | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

| cve_search | | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html |

| mageia | | http://advisories.mageia.org/MGASA-2024-0038.html |

| osv | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.isc.org/blogs/2024-bind-security-release/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/2 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/3 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://access.redhat.com/security/cve/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://kb.isc.org/docs/cve-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39367411 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39372384 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/aktuelles/key-trap | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

即“KeyTrap”攻击，DNS协议（RFC 4033、4034、4035、6840等协议）的某些DNSSEC方面的协议缺陷，允许远程攻击者通过一个或多个DNSSEC响应发动Dos攻击，造成拒绝服务（CPU消耗）。

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

即“KeyTrap”攻击，DNS协议（RFC 4033、4034、4035、6840等协议）的某些DNSSEC方面的协议缺陷，允许远程攻击者通过一个或多个DNSSEC响应发动Dos攻击，造成拒绝服务（CPU消耗）。

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0965 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0977 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0981 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0982 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

| cve_search | | https://www.athene-center.de/aktuelles/key-trap |

| cve_search | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ |

| cve_search | | https://kb.isc.org/docs/cve-2023-50387 |

| cve_search | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html |

| cve_search | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ |

| cve_search | | https://news.ycombinator.com/item?id=39367411 |

| cve_search | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ |

| cve_search | | https://www.isc.org/blogs/2024-bind-security-release/ |

| cve_search | | https://news.ycombinator.com/item?id=39372384 |

| cve_search | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 |

| cve_search | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html |

| cve_search | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 |

| cve_search | | https://access.redhat.com/security/cve/CVE-2023-50387 |

| cve_search | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 |

| cve_search | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/2 |

| cve_search | | http://www.openwall.com/lists/oss-security/2024/02/16/3 |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ |

| cve_search | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ |

| cve_search | | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html |

| mageia | | http://advisories.mageia.org/MGASA-2024-0038.html |

| osv | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.isc.org/blogs/2024-bind-security-release/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/2 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | http://www.openwall.com/lists/oss-security/2024/02/16/3 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://access.redhat.com/security/cve/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://kb.isc.org/docs/cve-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39367411 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://news.ycombinator.com/item?id=39372384 | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/aktuelles/key-trap | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| osv | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | https://osv.dev/vulnerability/CVE-2023-50387 |

| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387 | https://explore.alas.aws.amazon.com/CVE-2023-50387.html |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-BIND-6245757 |

| snyk | https://kb.isc.org/docs/cve-2023-50387 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| snyk | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://security.snyk.io/vuln/SNYK-UNMANAGED-DNSMASQ-6245756 |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否

一、漏洞信息

漏洞编号：[CVE-2023-50387](https://nvd.nist.gov/vuln/detail/CVE-2023-50387)

漏洞归属组件：[dnsmasq](https://gitee.com/src-openeuler/dnsmasq)

漏洞归属的版本：2.82,2.85,2.86,2.88,2.89

CVSS V3.0分值：

BaseScore：7.5 High

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

漏洞简述：

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the KeyTrap issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

漏洞公开时间：2024-02-15 00:15:45

漏洞创建时间：2024-02-21 01:40:04

漏洞详情参考链接：

https://nvd.nist.gov/vuln/detail/CVE-2023-50387

<details>

<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |

| ------- | -------- | -------- |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/2 | |

| cve.mitre.org | http://www.openwall.com/lists/oss-security/2024/02/16/3 | |

| cve.mitre.org | https://access.redhat.com/security/cve/CVE-2023-50387 | |

| cve.mitre.org | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | |

| cve.mitre.org | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | |

| cve.mitre.org | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | |

| cve.mitre.org | https://kb.isc.org/docs/cve-2023-50387 | |

| cve.mitre.org | https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ | |

| cve.mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ | |

| cve.mitre.org | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | |

| cve.mitre.org | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39367411 | |

| cve.mitre.org | https://news.ycombinator.com/item?id=39372384 | |

| cve.mitre.org | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | |

| cve.mitre.org | https://www.athene-center.de/aktuelles/key-trap | |

| cve.mitre.org | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | |

| cve.mitre.org | https://www.isc.org/blogs/2024-bind-security-release/ | |

| cve.mitre.org | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | |

| cve.mitre.org | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | |

| redhat_bugzilla | https://fosstodon.org/@tychotithonus@infosec.exchange/111924626751024210 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://github.com/NLnetLabs/unbound/releases/tag/release-1.19.1 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://kb.isc.org/docs/cve-2023-50387 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.athene-center.de/en/news/press/key-trap | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://labs.ripe.net/author/haya-shulman/keytrap-algorithmic-complexity-attacks-exploit-fundamental-design-flaw-in-dnssec/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://lists.dns-oarc.net/pipermail/dns-operations/2024-February/022436.html | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://www.isc.org/blogs/2024-bind-security-release/ | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0965 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0977 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0981 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2024:0982 | https://bugzilla.redhat.com/show_bug.cgi?id=2263914 |

| bind | | https://kb.isc.org/v1/docs/cve-2023-50387 |

</details>

漏洞分析指导链接：

https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md

漏洞数据来源:

其它

漏洞补丁信息：

<details>

<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源 |

| ------- | -------- | ------- | -------- | --------- |

| | | https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3ae7f1ab0d847b17fdc95fd0e5b3120f66dc3af9 | | snyk |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/2 | | nvd |

| | | http://www.openwall.com/lists/oss-security/2024/02/16/3 | | nvd |

| | | https://access.redhat.com/security/cve/CVE-2023-50387 | | nvd |

| | | https://bugzilla.suse.com/show_bug.cgi?id=1219823 | | nvd |

| | | https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html | | nvd |

| | | https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 | | nvd |

| | | https://kb.isc.org/docs/cve-2023-50387 | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ | | nvd |

| | | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ | | nvd |

| | | https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html | | nvd |

| | | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 | | nvd |

| | | https://news.ycombinator.com/item?id=39367411 | | nvd |

| | | https://news.ycombinator.com/item?id=39372384 | | nvd |

| | | https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ | | nvd |

| | | https://www.athene-center.de/aktuelles/key-trap | | nvd |

| | | https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf | | nvd |

| | | https://www.isc.org/blogs/2024-bind-security-release/ | | nvd |

| | | https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ | | nvd |

| | | https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ | | nvd |

| | | https://www.nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff | | unbound |

</details>

二、漏洞分析结构反馈

影响性分析说明：

即“KeyTrap”攻击，DNS协议（RFC 4033、4034、4035、6840等协议）的某些DNSSEC方面的协议缺陷，允许远程攻击者通过一个或多个DNSSEC响应发动Dos攻击，造成拒绝服务（CPU消耗）。

openEuler评分：

7.5

Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

受影响版本排查(受影响/不受影响)：

1.master(2.89):受影响

2.openEuler-20.03-LTS-SP1(2.82):受影响

3.openEuler-20.03-LTS-SP4(2.82):受影响

4.openEuler-22.03-LTS(2.86):受影响

5.openEuler-22.03-LTS-Next(2.86):受影响

6.openEuler-22.03-LTS-SP1(2.86):受影响

7.openEuler-22.03-LTS-SP2(2.86):受影响

8.openEuler-22.03-LTS-SP3(2.86):受影响

修复是否涉及abi变化(是/否)：

1.master(2.89):否

2.openEuler-20.03-LTS-SP1(2.82):否

3.openEuler-20.03-LTS-SP4(2.82):否

4.openEuler-22.03-LTS(2.86):否

5.openEuler-22.03-LTS-Next(2.86):否

6.openEuler-22.03-LTS-SP1(2.86):否

7.openEuler-22.03-LTS-SP2(2.86):否

8.openEuler-22.03-LTS-SP3(2.86):否