CVE-2021-36754: 
Linux Alpine vulnerability analysis and mitigation

PowerDNS Authoritative Server version 4.5.0 contains a vulnerability (CVE-2021-36754) discovered on July 26th, 2021, that allows remote attackers to crash the server process. The vulnerability affects only version 4.5.0, while versions 4.4.x and below, as well as version 4.5.1, are not affected (PowerDNS Advisory).

The vulnerability occurs when the server receives a DNS query with QTYPE 65535, which triggers an uncaught out-of-bounds exception. This issue is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is tracked under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (NVD).

When exploited, the vulnerability results in a denial of service condition by causing the PowerDNS Authoritative Server process to crash. However, when the server is running under a supervisor like supervisord or systemd, the impact is limited to a somewhat degraded service as the process will automatically restart (PowerDNS Advisory).

The primary solution is to upgrade to PowerDNS Authoritative Server version 4.5.1. For users who cannot immediately upgrade but have dnsdist in place, a temporary workaround is available by implementing a filter using the command addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)) to block the malicious queries (PowerDNS Advisory).

The vulnerability was discovered by Reinier Schoof and Robin Geuze of TransIP, who noticed crashes in production environments and promptly reported the issue to PowerDNS (PowerDNS Advisory).