CVE-2022-3080: Input Validation
First published: Wed Sep 21 2022(Updated: )
By sending specific queries to the resolver, an attacker can cause named to crash.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ISC BIND | >=9.16.14<9.16.33 | |
| ISC BIND | >=9.18.0<9.18.7 | |
| ISC BIND | >=9.19.0<9.19.5 | |
| ISC BIND | =9.16.14-s1 | |
| ISC BIND | =9.16.21-s1 | |
| ISC BIND | =9.16.32-s1 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| redhat/bind9.16 | <32:9.16.23-0.7.el8_6.1 | 32:9.16.23-0.7.el8_6.1 |
| redhat/bind | <32:9.16.23-1.el9_0.1 | 32:9.16.23-1.el9_0.1 |
| debian/bind9 | 1:9.11.5.P4+dfsg-5.1+deb10u7 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2022/09/21/3
- https://kb.isc.org/docs/cve-2022-3080
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/
- https://security.gentoo.org/glsa/202210-25
- https://www.debian.org/security/2022/dsa-5235
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2128706
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2128708
- https://access.redhat.com/errata/RHSA-2022:6763
- https://access.redhat.com/errata/RHSA-2022:6781
- https://access.redhat.com/security/cve/cve-2022-3080
- https://bugzilla.redhat.com/show_bug.cgi?id=2128600
- https://www.cve.org/CVERecord?id=CVE-2022-3080 https://nvd.nist.gov/vuln/detail/CVE-2022-3080 https://kb.isc.org/docs/cve-2022-3080
- https://gitlab.isc.org/isc-projects/bind9/-/commit/b9e2f3333d0d29deb3ef932aa7aeb28086f153bd
- https://gitlab.isc.org/isc-projects/bind9/-/commit/3f68e2ad838b3c12a725ccb1082a54b0e8b69562
- https://security-tracker.debian.org/tracker/CVE-2022-3080
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2022-3080.
What is the impact of this vulnerability?
The impact of this vulnerability is that an attacker can cause named to crash.
What software is affected by this vulnerability?
The Bind package versions 9.16.33, 9.18.7, and 9.19.5, as well as specific versions of bind9 and ISC BIND, and Fedora versions 35, 36, and 37 are affected.
How can I fix this vulnerability?
To fix this vulnerability, update to Bind package version 9.16.33, 9.18.7, or 9.19.5, depending on your distribution and package source.
What is the severity level of this vulnerability?
The severity level of this vulnerability is high, with a CVSS score of 7.5.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-3080
- agent/software-canonical-lookup
- collector/redhat-cve
- collector/security-tracker-debian
- vendor/isc
- canonical/isc bind
- version/isc bind/9.16.14
- version/isc bind/9.18.0
- version/isc bind/9.19.0
- version/isc bind/9.16.14-s1
- version/isc bind/9.16.21-s1
- version/isc bind/9.16.32-s1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- package-manager/redhat
- package-manager/debian