CVE-2024-25638: 
Java vulnerability analysis and mitigation

CVE-2024-25638 affects dnsjava, an implementation of DNS in Java. The vulnerability was discovered and disclosed in July 2024, where records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs (Resource Records) from different zones. This vulnerability affects versions prior to 3.6.0 (GitHub Advisory).

The vulnerability stems from improper response validation in DNS message processing. DNS Messages lack authentication mechanisms to guarantee that received RRs are authentic, that non-received RRs do not exist, or that received records in a response relate to the request. While DNSSEC typically provides the first two guarantees, the third requires specific resolver logic implementation, which dnsjava lacked. The vulnerability has been assigned a CVSS v3.1 base score of 8.9 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L (GitHub Advisory).

The vulnerability can be exploited by a rogue recursive resolver or network attacker on UDP/TCP connections to add RRs irrelevant to the query or completely exchange relevant response records. This impacts security frameworks using DNS(SEC) libraries, potentially affecting email systems (IMAP server connections, SMTP mail delivery), TLS traffic through TLSA record manipulation, and trust store management systems that rely on URI and SMIMEA records (GitHub Advisory).

The following mitigations are recommended: 1) When using a ValidatingResolver, ignore any Server indications of data availability, 2) For APIs returning RRs from DNS responses, implement filtering algorithms for the RRs, particularly for LookupSession.lookupAsync, 3) Remove or clearly warn about APIs dealing with raw DNS messages in the examples section. The vulnerability has been fixed in version 3.6.0 (GitHub Advisory).