[Off Topic] BIND version vulnearability with bind-libs and bind-utils libraries


We have installed asterisk on AWS instance centOS, within a very restricted environment. Our security team has done a penetration test on this,

They have raised a concern with two packages installed:

Package installed : bind-libs-9.9.4-61.el7
Package installed : bind-utils-9.9.4-61.el7

  1. Vulnerable BIND version
    A denial of service flaw was discovered in bind versions that include the “deny-answer-aliases” feature.
    This flaw may allow a remote attacker to trigger an INSIST assert in named leading to termination of the process and a denial of service condition.
    Severity: High

Recommended Fix: Update the affected bind packages to latest version

I already have the updated version of this library. Is there any recommendation on how to work around this? Will it cause any security issues if I remove the library ?

Thanks in advance.

Bind is not directly used by Asterisk. It’s outside of its scope, so you may have better luck asking such questions elsewhere.

Thanks jcolp, can we remove those libraries in that case? If asterisk doesn’t use it, we don’t have any other application on that ec2 instance.

I can only speak for Asterisk. We don’t directly use or link against bind. I have no idea what else your system is doing or how it is configured.

Thanks jcolp for your quick response and help.