Bug 2128947 (CVE-2022-3204)

Summary: CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack)
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aegorenkov.91, akhaitovich, alazarot, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, emingora, etirelli, fjuma, go-sig, ibek, iweiss, jochrist, jrokos, jwon, kverlaen, lgao, me, mnovotny, mosmerov, msochure, msvehla, nwallace, paul.wouters, pemensik, petersen, pjindal, pj.pandit, pmackay, reallylongword, redhat-bugzilla, rguimara, rstancel, smaestri, tom.jenkinson, tzimanyi, zebob.m
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: unbound 1.16.3 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in unbound. The attack can cause a resolver to spend a lot of time and resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. This issue can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, leading to degraded performance and, eventually, a denial of service in orchestrated attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 16:35:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2128953, 2128964, 2128965    
Bug Blocks: 2128841    

Description Sandipan Roy 2022-09-22 04:37:19 UTC 
The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks.

Upstream has issued an advisory today (September 21):
https://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt

The issue is fixed upstream in 1.16.3:
https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3
Comment 1 TEJ RATHI 2022-09-22 05:30:56 UTC 
Created unbound tracking bugs for this issue:

Affects: fedora-all [bug 2128953]
Comment 6 errata-xmlrpc 2023-05-09 07:36:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2370 https://access.redhat.com/errata/RHSA-2023:2370
Comment 8 errata-xmlrpc 2023-05-16 08:10:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2771 https://access.redhat.com/errata/RHSA-2023:2771
Comment 9 Product Security DevOps Team 2023-05-16 16:34:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3204