CVE-2022-3924: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
First published: Tue Jan 24 2023(Updated: )
A flaw was found in Bind. When resolver receives many queries requiring recursion, there will be a corresponding increase in the number of clients waiting for recursion to complete. This may, under certain conditions, lead to an assertion failure and a denial of service.
Credit: security-officer@isc.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/bind9.16 | <32:9.16.23-0.14.el8 | 32:9.16.23-0.14.el8 |
| redhat/bind | <32:9.16.23-11.el9 | 32:9.16.23-11.el9 |
| ISC BIND | >=9.16.12<9.16.37 | |
| ISC BIND | >=9.18.0<9.18.11 | |
| ISC BIND | >=9.19.0<9.19.9 | |
| ISC BIND | =9.16.12-s1 | |
| ISC BIND | =9.16.13-s1 | |
| ISC BIND | =9.16.14-s1 | |
| ISC BIND | =9.16.21-s1 | |
| ISC BIND | =9.16.32-s1 | |
| ISC BIND | =9.16.36-s1 |
Remedy
Disabling stale-answer-client-timeout entirely or setting the timeout value to zero prevents the problem. It is not possible to disable the limit on recursive-clients, though it could be set to a very high value in order to reduce the likelihood of encountering this scenario. However, this is not recommended as the limit on recursive clients is important for preventing exhaustion of server resources.
Remedy
Upgrade to the patched release most closely related to your current version of BIND 9: 9.16.37, 9.18.11, 9.19.9, or 9.16.37-S1.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://kb.isc.org/docs/cve-2022-3924
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2164508
- https://access.redhat.com/errata/RHSA-2023:2261
- https://access.redhat.com/errata/RHSA-2023:2792
- https://access.redhat.com/security/cve/cve-2022-3924
- https://bugzilla.redhat.com/show_bug.cgi?id=2164039
- https://www.cve.org/CVERecord?id=CVE-2022-3924 https://nvd.nist.gov/vuln/detail/CVE-2022-3924 https://kb.isc.org/docs/cve-2022-3924
Frequently Asked Questions
What is the vulnerability ID for this flaw in Bind?
The vulnerability ID for this flaw in Bind is CVE-2022-3924.
What is the severity level of CVE-2022-3924?
CVE-2022-3924 has a severity level of 7.5 (High).
Which software is affected by CVE-2022-3924?
CVE-2022-3924 affects BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero.
How can I fix CVE-2022-3924?
To fix CVE-2022-3924, update the affected BIND software to version 9.16.37 or later.
Where can I find more information about CVE-2022-3924?
You can find more information about CVE-2022-3924 in the following references: [Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2164508) and [Red Hat Advisory RHSA-2023:2261](https://access.redhat.com/errata/RHSA-2023:2261).
- collector/redhat-cve
- collector/nvd-index
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/references
- agent/severity
- agent/weakness
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-3924
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/remedy
- agent/description
- agent/event
- agent/tags
- agent/trending
- package-manager/redhat
- vendor/isc
- canonical/isc bind
- version/isc bind/9.16.12
- version/isc bind/9.18.0
- version/isc bind/9.19.0
- version/isc bind/9.16.12-s1
- version/isc bind/9.16.13-s1
- version/isc bind/9.16.14-s1
- version/isc bind/9.16.21-s1
- version/isc bind/9.16.32-s1
- version/isc bind/9.16.36-s1