Bug 2164032 (CVE-2022-3094) - CVE-2022-3094 bind: flooding with UPDATE requests may lead to DoS
Summary: CVE-2022-3094 bind: flooding with UPDATE requests may lead to DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3094
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2164386 2164387 2164388 2164407 2164409 2164506
Blocks: 2164033
TreeView+ depends on / blocked
 
Reported: 2023-01-24 14:47 UTC by Marian Rehak
Modified: 2024-03-19 17:26 UTC (History)
3 users (show)

Fixed In Version: bind 9.16.37, bind 9.18.11, bind 9.19.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Bind, where sending a flood of dynamic DNS updates may cause named to allocate large amounts of memory. This issue may cause named to slow down due to a lack of free memory, resulting in a denial of service (DoS).
Clone Of:
Environment:
Last Closed: 2023-05-16 16:31:43 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2261 0 None None None 2023-05-09 07:23:39 UTC
Red Hat Product Errata RHSA-2023:2792 0 None None None 2023-05-16 08:12:38 UTC
Red Hat Product Errata RHSA-2023:7177 0 None None None 2023-11-14 15:22:19 UTC
Red Hat Product Errata RHSA-2024:1406 0 None None None 2024-03-19 17:26:49 UTC

Description Marian Rehak 2023-01-24 14:47:20 UTC
Sending a flood of dynamic DNS updates may cause named to allocate large amounts of memory. This, in turn, may cause named to exit due to a lack of free memory. The scope of this vulnerability is limited to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop named by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome.

Comment 4 Marian Rehak 2023-01-25 16:02:40 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 2164506]

Comment 5 errata-xmlrpc 2023-05-09 07:23:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2261 https://access.redhat.com/errata/RHSA-2023:2261

Comment 6 errata-xmlrpc 2023-05-16 08:12:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2792 https://access.redhat.com/errata/RHSA-2023:2792

Comment 7 Product Security DevOps Team 2023-05-16 16:31:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3094

Comment 8 errata-xmlrpc 2023-11-14 15:22:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7177 https://access.redhat.com/errata/RHSA-2023:7177

Comment 11 errata-xmlrpc 2024-03-19 17:26:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1406 https://access.redhat.com/errata/RHSA-2024:1406


Note You need to log in before you can comment on or make changes to this bug.