Netty is vulnerable to DNS cache poisoning due to improper validation of CNAME records, which can lead to traffic redirection and potential man-in-the-middle attacks.

This is a DNS cache poisoning vulnerability. The DnsResolveContext fails to check if CNAME records originate from the correct bailiwick, allowing attackers to inject malicious DNS records into the cache of applications using the framework.

The CVSS score of 8.7 highlights the severity of this issue. Successful exploitation allows for DNS hijacking, which can redirect users to malicious servers, facilitate data interception, or cause significant disruption to network communications for any application relying on Netty for DNS resolution.

Immediate Action: Upgrade Netty to version 4.1.135, 4.2.15, or higher to implement proper CNAME bailiwick validation.

Proactive Monitoring: Monitor for anomalous DNS resolution patterns or unexpected traffic redirection within applications using the Netty framework.

Compensating Controls: Ensure that upstream DNS servers are configured to provide DNSSEC validation and consider using additional network-level security to verify DNS responses.

Public Exploit Available: false

DNS integrity is foundational to network security. Organizations must prioritize upgrading to the recommended Netty versions to prevent cache poisoning attacks and ensure the reliability of their network communications.