Bug 2128947 (CVE-2022-3204) - CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource consumption (Non-Responsive Delegation Attack)
Summary: CVE-2022-3204 unbound: NRDelegation attack leads to uncontrolled resource con...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2128953 2128964 2128965
Blocks: 2128841
TreeView+ depends on / blocked
 
Reported: 2022-09-22 04:37 UTC by Sandipan Roy
Modified: 2024-06-14 00:48 UTC (History)
43 users (show)

Fixed In Version: unbound 1.16.3
Clone Of:
Environment:
Last Closed: 2023-05-16 16:35:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2370 0 None None None 2023-05-09 07:36:52 UTC
Red Hat Product Errata RHSA-2023:2771 0 None None None 2023-05-16 08:10:08 UTC
Red Hat Product Errata RHSA-2024:2045 0 None None None 2024-04-25 06:47:37 UTC

Description Sandipan Roy 2022-09-22 04:37:19 UTC 
The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks.

Upstream has issued an advisory today (September 21):
https://nlnetlabs.nl/downloads/unbound/CVE-2022-3204.txt

The issue is fixed upstream in 1.16.3:
https://github.com/NLnetLabs/unbound/releases/tag/release-1.16.3
Comment 1 TEJ RATHI 2022-09-22 05:30:56 UTC 
Created unbound tracking bugs for this issue:

Affects: fedora-all [bug 2128953]
Comment 6 errata-xmlrpc 2023-05-09 07:36:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2370 https://access.redhat.com/errata/RHSA-2023:2370
Comment 8 errata-xmlrpc 2023-05-16 08:10:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2771 https://access.redhat.com/errata/RHSA-2023:2771
Comment 9 Product Security DevOps Team 2023-05-16 16:34:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3204
Comment 11 errata-xmlrpc 2024-04-25 06:47:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2045 https://access.redhat.com/errata/RHSA-2024:2045
Note You need to log in before you can comment on or make changes to this bug.