GHSA-crjg-w57m-rqqf: 
Java vulnerability analysis and mitigation

DNSJava versions 3.5.0 through 3.5.3 are vulnerable to the KeyTrap vulnerability (CVE-2023-50387). This vulnerability affects the DNSSEC validation functionality, where users utilizing the ValidatingResolver for DNSSEC validation can experience CPU exhaustion when processing specially crafted DNSSEC-signed zones (GitHub Advisory).

The vulnerability stems from DNSSEC aspects of the DNS protocol where, when encountering a zone with many DNSKEY and RRSIG records, the protocol specification requires evaluating all combinations of DNSKEY and RRSIG records. This can lead to algorithmic complexity attacks causing CPU exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is the potential for denial-of-service attacks through CPU exhaustion. Attackers can exploit this vulnerability by sending specially crafted DNSSEC responses that force the resolver to perform excessive computational work, potentially impacting service availability (GitHub Advisory).

Users should upgrade to DNSJava version 3.6.0 which includes fixes for this vulnerability. As a temporary workaround, though not recommended, users can switch to using a non-validating resolver to remove the vulnerability. However, this compromises security by disabling DNSSEC validation (GitHub Advisory).