CVE-2022-3080: BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly
First published: Wed Sep 21 2022(Updated: )
By sending specific queries to the resolver, an attacker can cause named to crash.
Credit: security-officer@isc.org security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/bind9.16 | <32:9.16.23-0.7.el8_6.1 | 32:9.16.23-0.7.el8_6.1 |
| redhat/bind | <32:9.16.23-1.el9_0.1 | 32:9.16.23-1.el9_0.1 |
| ISC BIND | >=9.16.14<9.16.33 | |
| ISC BIND | >=9.18.0<9.18.7 | |
| ISC BIND | >=9.19.0<9.19.5 | |
| ISC BIND | =9.16.14-s1 | |
| ISC BIND | =9.16.21-s1 | |
| ISC BIND | =9.16.32-s1 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 | |
| redhat/bind | <9.16.33 | 9.16.33 |
| redhat/bind | <9.18.7 | 9.18.7 |
| redhat/bind | <9.19.5 | 9.19.5 |
| >=9.16.14<9.16.33 | ||
| >=9.18.0<9.18.7 | ||
| >=9.19.0<9.19.5 | ||
| =9.16.14-s1 | ||
| =9.16.21-s1 | ||
| =9.16.32-s1 | ||
| =35 | ||
| =36 | ||
| =37 |
Remedy
Upgrade to the patched release most closely related to your current version of BIND: BIND 9.16.33, BIND 9.18.7, BIND 9.19.5, or for BIND Supported Preview Edition (a special feature preview branch of BIND provided to eligible ISC support customers): BIND 9.16.33-S1.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-3080 https://nvd.nist.gov/vuln/detail/CVE-2022-3080 https://kb.isc.org/docs/cve-2022-3080
- https://bugzilla.redhat.com/show_bug.cgi?id=2128600
- https://access.redhat.com/errata/RHSA-2022:6781
- https://access.redhat.com/errata/RHSA-2022:6763
- https://access.redhat.com/security/cve/cve-2022-3080
- http://www.openwall.com/lists/oss-security/2022/09/21/3
- https://kb.isc.org/docs/cve-2022-3080
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/
- https://security.gentoo.org/glsa/202210-25
- https://www.debian.org/security/2022/dsa-5235
- https://gitlab.isc.org/isc-projects/bind9/-/commit/b9e2f3333d0d29deb3ef932aa7aeb28086f153bd
- https://gitlab.isc.org/isc-projects/bind9/-/commit/3f68e2ad838b3c12a725ccb1082a54b0e8b69562
- https://security-tracker.debian.org/tracker/CVE-2022-3080
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2128706
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2128708
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/
- https://security.netapp.com/advisory/ntap-20240621-0002/
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2022-3080.
What is the impact of this vulnerability?
The impact of this vulnerability is that an attacker can cause named to crash.
What software is affected by this vulnerability?
The Bind package versions 9.16.33, 9.18.7, and 9.19.5, as well as specific versions of bind9 and ISC BIND, and Fedora versions 35, 36, and 37 are affected.
How can I fix this vulnerability?
To fix this vulnerability, update to Bind package version 9.16.33, 9.18.7, or 9.19.5, depending on your distribution and package source.
What is the severity level of this vulnerability?
The severity level of this vulnerability is high, with a CVSS score of 7.5.
- collector/redhat-cve
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-3080
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- package-manager/redhat
- vendor/isc
- canonical/isc bind
- version/isc bind/9.16.14
- version/isc bind/9.18.0
- version/isc bind/9.19.0
- version/isc bind/9.16.14-s1
- version/isc bind/9.16.21-s1
- version/isc bind/9.16.32-s1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- package-manager/debian