GHSA-mmwx-rj87-vfgr: 
Java vulnerability analysis and mitigation

CVE-2023-50868 (GHSA-mmwx-rj87-vfgr), also known as the NSEC3 KeyTrap vulnerability, affects DNSJava versions 3.5.0 through 3.5.3. The vulnerability was discovered and disclosed in July 2024, impacting DNS implementations that use DNSSEC validation. The vulnerability specifically affects the Closest Encloser Proof aspect of the DNS protocol as defined in RFC 5155 when RFC 9276 guidance is skipped (NVD, GitHub Advisory).

The vulnerability exists in the DNSSEC validation process where the RFC 5155 specification requires performing thousands of iterations of SHA-1 hash function computations in certain situations during the Closest Encloser Proof verification. This implementation detail can be exploited through specially crafted DNSSEC-signed zones. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a network-based attack vector with low complexity that requires user interaction (GitHub Advisory).

When exploited, this vulnerability can lead to denial of service through CPU exhaustion. The attack specifically targets systems using the ValidatingResolver for DNSSEC validation, causing excessive CPU consumption through forced SHA-1 computations (GitHub Advisory).

The primary mitigation is to upgrade to DNSJava version 3.6.0 or later, which contains the fix for this vulnerability. For users unable to upgrade immediately, a temporary workaround is to use a non-validating resolver, though this is not recommended as it removes DNSSEC security protections (GitHub Advisory).