Two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236)

Skip to first unread message

Shane Filus

Oct 4, 2023, 5:33:42 PM10/4/23

CI Operators:

ISC recently released two security advisories for BIND 9 [1] [2]. These issues are tracked as CVE-2023-3341 [3] and CVE-2023-4236 [4] both assessed with a CVSS v3 score of 7.5.


For CVE-2023-3341, A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly. 

For CVE-2023-4236, named may terminate unexpectedly under high DNS-over-TLS query load. 

Affected Software

For CVE-2023-3341:

  • 9.2.0 -> 9.16.43

  • 9.18.0 -> 9.18.18

  • 9.19.0 -> 9.19.16

  • (Versions prior to 9.11.37 were not assessed.)

For CVE-2023-4236:

  • 9.18.0 -> 9.18.18


Update BIND to the latest version. If packages are not available for your OS distribution, source is available on the ISC homepage [5].


For CVE-2023-3341, make sure remote access to the control-channel is disabled (default)

For CVE-2023-4236, disable listening for DNS-over-TLS connections (by removing listen-on ... tls ... { ... }; statements from the configuration)







How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us ( if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

Reply all
Reply to author
0 new messages