CVE-2024-25638
DNS vulnerability in dnsjava (Maven)
What is CVE-2024-25638 About?
This vulnerability in dnsjava allows an attacker to inject irrelevant DNS records into replies by bypassing relevance checks. This can lead to information disclosure or redirection attacks, as applications might trust these falsified records. Exploitation requires either controlling a rogue recursive resolver or acting as a network attacker, making it moderately complex.
Affected Software
Technical Details
The dnsjava library fails to adequately verify the relevance of records (Resource Records - RRs) contained within DNS replies to the original query. While DNSSEC provides authentication for record authenticity, dnsjava's API does not implement a crucial algorithm that filters RRs based on their relationship to the queried name (QNAME) and its aliases (CNAME/DNAME chains), a mechanism often reliant on NSEC records. Consequently, a malicious recursive resolver or a network attacker performing man-in-the-middle on UDP/TCP connections can inject arbitrary RRs into the ANSWER section of a DNS response. These injected RRs, even if DNSSEC-signed from a different zone, are not discarded by dnsjava's APIs, leading applications to incorrectly process them as legitimate answers to the original query. This allows for manipulation of server addresses (e.g., SRV, MX records) or trust anchors (e.g., TLSA records).
What is the Impact of CVE-2024-25638?
Successful exploitation may allow attackers to perform information disclosure, redirect user credentials, intercept TLS traffic, or manipulate root-of-trust settings within dependent applications.
What is the Exploitability of CVE-2024-25638?
Exploitation is of moderate complexity, requiring either a rogue recursive resolver to directly manipulate DNS responses or a network attacker capable of intercepting and modifying DNS traffic (e.g., a man-in-the-middle attack). There are no direct authentication requirements for the attacker to inject records if they control the resolution path or can perform network interception. Privilege requirements are elevated only if the attacker needs to compromise a DNS resolver. This is primarily a remote attack vector. Special conditions include the application blindly filtering records by type without validating their relevance to the QNAME, and the reliance on dnsjava's APIs that return unresolved DNS messages or content without applying the necessary relevance checks. The risk of exploitation increases if applications, especially security frameworks, directly use dnsjava's raw DNS message output or its simplified lookup results without additional programmatic filtering.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-25638?
About the Fix from Resolved Security
Available Upgrade Options
- dnsjava:dnsjava
- <3.6.0 → Upgrade to 3.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2024-25638
- https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705
- https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
- https://github.com/dnsjava/dnsjava
- https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705
- https://osv.dev/vulnerability/GHSA-cfxw-4h78-h7fw
- https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d
- https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
What are Similar Vulnerabilities to CVE-2024-25638?
Similar Vulnerabilities: CVE-2020-1350 , CVE-2018-5743 , CVE-2022-30206 , CVE-2021-25219 , CVE-2023-50387
