CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code
First published: Wed Sep 21 2022(Updated: )
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/bind | <32:9.11.4-26.P2.el7_9.10 | 32:9.11.4-26.P2.el7_9.10 |
| redhat/bind | <32:9.11.36-3.el8_6.1 | 32:9.11.36-3.el8_6.1 |
| redhat/bind9.16 | <32:9.16.23-0.7.el8_6.1 | 32:9.16.23-0.7.el8_6.1 |
| redhat/bind | <32:9.11.4-26.P2.el8_1.6 | 32:9.11.4-26.P2.el8_1.6 |
| redhat/bind | <32:9.11.13-6.el8_2.4 | 32:9.11.13-6.el8_2.4 |
| redhat/bind | <32:9.11.26-4.el8_4.1 | 32:9.11.26-4.el8_4.1 |
| redhat/bind | <32:9.16.23-1.el9_0.1 | 32:9.16.23-1.el9_0.1 |
| debian/bind9 | <=1:9.11.5.P4+dfsg-5.1+deb10u7 | 1:9.11.5.P4+dfsg-5.1+deb10u9 1:9.16.44-1~deb11u1 1:9.18.19-1~deb12u1 1:9.19.17-1 |
| redhat/bind | <9.16.33 | 9.16.33 |
| ISC BIND | >=9.8.4<=9.16.32 | |
| Isc Bind Supported Preview | =9.9.3-s1 | |
| ISC BIND | =9.9.3-s1 | |
| ISC BIND | =9.9.12-s1 | |
| ISC BIND | =9.9.13-s1 | |
| ISC BIND | =9.10.5-s1 | |
| ISC BIND | =9.10.7-s1 | |
| ISC BIND | =9.11.3-s1 | |
| Isc Bind Supported Preview | =9.11.5-s3 | |
| ISC BIND | =9.11.5-s3 | |
| ISC BIND | =9.11.5-s5 | |
| ISC BIND | =9.11.5-s6 | |
| ISC BIND | =9.11.6-s1 | |
| ISC BIND | =9.11.7-s1 | |
| ISC BIND | =9.11.8-s1 | |
| ISC BIND | =9.11.12-s1 | |
| ISC BIND | =9.11.14-s1 | |
| ISC BIND | =9.11.19-s1 | |
| ISC BIND | =9.11.21-s1 | |
| ISC BIND | =9.11.27-s1 | |
| ISC BIND | =9.11.29-s1 | |
| ISC BIND | =9.11.35-s1 | |
| ISC BIND | =9.11.37-s1 | |
| ISC BIND | =9.16.8-s1 | |
| ISC BIND | =9.16.11-s1 | |
| ISC BIND | =9.16.13-s1 | |
| ISC BIND | =9.16.21-s1 | |
| ISC BIND | =9.16.32-s1 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| Netapp Active Iq Unified Manager Vmware Vsphere |
Remedy
Upgrade to the patched release most closely related to your current version of BIND: BIND 9.16.33, or for BIND Supported Preview Edition (a special feature preview branch of BIND provided to eligible ISC support customers): BIND 9.16.33-S1.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-38177 https://nvd.nist.gov/vuln/detail/CVE-2022-38177 https://kb.isc.org/docs/cve-2022-38177
- https://bugzilla.redhat.com/show_bug.cgi?id=2128601
- https://access.redhat.com/errata/RHSA-2022:6765
- https://access.redhat.com/errata/RHSA-2022:6778
- https://access.redhat.com/errata/RHSA-2022:6781
- https://access.redhat.com/errata/RHSA-2022:6764
- https://access.redhat.com/errata/RHSA-2022:6780
- https://access.redhat.com/errata/RHSA-2022:6779
- https://access.redhat.com/errata/RHSA-2022:6763
- https://access.redhat.com/errata/RHSA-2022:8598
- https://access.redhat.com/security/cve/cve-2022-38177
- https://kb.isc.org/docs/cve-2022-38177
- https://gitlab.isc.org/isc-projects/bind9/-/commit/d4eb6e0a57a7eeb42328ff66865fa66688603c17
- https://gitlab.isc.org/isc-projects/bind9/-/commit/5b2282afff760b1ed3471f6666bdfe8e1d34e590
- https://security-tracker.debian.org/tracker/CVE-2022-38177
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2128710
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2128712
- https://access.redhat.com/errata/RHSA-2022:7643
- http://www.openwall.com/lists/oss-security/2022/09/21/3
- https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/
- https://security.gentoo.org/glsa/202210-25
- https://security.netapp.com/advisory/ntap-20221228-0010/
- https://www.debian.org/security/2022/dsa-5235
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this flaw in the Bind package?
The vulnerability ID for this flaw in the Bind package is CVE-2022-38177.
What is the severity rating of CVE-2022-38177?
The severity rating of CVE-2022-38177 is high, with a value of 7.5.
What is the impact of CVE-2022-38177?
CVE-2022-38177 allows an attacker to trigger a small memory leak, potentially causing named to crash.
Which software versions are affected by CVE-2022-38177?
Software versions up to and excluding 9.16.33 of the Bind package are affected by CVE-2022-38177.
Where can I find more information about CVE-2022-38177?
You can find more information about CVE-2022-38177 in the references provided: [link1] [link2] [link3].
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/references
- agent/title
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-38177
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- package-manager/redhat
- package-manager/debian
- vendor/isc
- canonical/isc bind
- version/isc bind/9.8.4
- version/isc bind/9.16.32
- canonical/isc bind supported preview
- version/isc bind supported preview/9.9.3-s1
- version/isc bind/9.9.3-s1
- version/isc bind/9.9.12-s1
- version/isc bind/9.9.13-s1
- version/isc bind/9.10.5-s1
- version/isc bind/9.10.7-s1
- version/isc bind/9.11.3-s1
- version/isc bind supported preview/9.11.5-s3
- version/isc bind/9.11.5-s3
- version/isc bind/9.11.5-s5
- version/isc bind/9.11.5-s6
- version/isc bind/9.11.6-s1
- version/isc bind/9.11.7-s1
- version/isc bind/9.11.8-s1
- version/isc bind/9.11.12-s1
- version/isc bind/9.11.14-s1
- version/isc bind/9.11.19-s1
- version/isc bind/9.11.21-s1
- version/isc bind/9.11.27-s1
- version/isc bind/9.11.29-s1
- version/isc bind/9.11.35-s1
- version/isc bind/9.11.37-s1
- version/isc bind/9.16.8-s1
- version/isc bind/9.16.11-s1
- version/isc bind/9.16.13-s1
- version/isc bind/9.16.21-s1
- version/isc bind/9.16.32-s1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere