CVE-2024-11187: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-11187 is a vulnerability in BIND 9, discovered in January 2025, that affects versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and several S1 variants. The vulnerability allows attackers to construct malicious DNS zones that generate responses containing numerous records in the Additional section (NVD, ISC KB).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. It is classified as CWE-405 (Asymmetric Resource Consumption/Amplification). When exploited, the vulnerability causes the DNS server to generate responses containing an excessive number of records in the Additional section, leading to disproportionate resource consumption (NVD).

When successfully exploited, this vulnerability can cause either the authoritative server itself or an independent resolver to consume excessive CPU resources. This resource exhaustion can effectively prevent the server from responding to other client queries, resulting in a denial of service condition (Security Online).

ISC has released patched versions of BIND (9.18.33, 9.20.5, or 9.21.4) to address this vulnerability. As a temporary workaround, administrators can enable the minimal-responses option in BIND's configuration. Users are strongly advised to upgrade to the latest versions as soon as possible (Security Online).