Netty has Insufficient Bailiwick Validation for NS Records

### Summary Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). ### Details In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk.. The `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache` method only prevents caching if the record is for the root zone (dots == 1). ### Impact DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted. Source Code Location: https://github.com/netty/netty Affected Packages: - maven:io.netty:netty-resolver-dns, affected >= 4.2.0.Final, <= 4.2.14.Final, patched in 4.2.15.Final - maven:io.netty:netty-resolver-dns, affected <= 4.1.134.Final, patched in 4.1.135.Final CWEs: - CWE-345: Insufficient Verification of Data Authenticity CVSS: - Primary: score 8.7, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N - CVSS_V3: score 8.7, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N References: - https://github.com/netty/netty/security/advisories/GHSA-5pvg-856g-cp85 - https://github.com/netty/netty/releases/tag/netty-4.1.135.Final - https://github.com/netty/netty/releases/tag/netty-4.2.15.Final - https://github.com/advisories/GHSA-5pvg-856g-cp85