Bug 2128598 (CVE-2022-2906) - CVE-2022-2906 bind: memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs
Summary: CVE-2022-2906 bind: memory leaks in code handling Diffie-Hellman key exchange...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-2906
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2128699 2128700
Blocks: 2128582
TreeView+ depends on / blocked
 
Reported: 2022-09-21 08:35 UTC by Marian Rehak
Modified: 2022-09-21 14:03 UTC (History)
11 users (show)

Fixed In Version: bind 9.18.7, bind 9.19.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Bind package, where a flaw in ‘named’ can cause a small memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. This flaw allows an attacker to gradually erode available memory to the point where ‘named’ crashes due to a lack of resources.
Clone Of:
Environment:
Last Closed: 2022-09-21 12:55:51 UTC


Attachments (Terms of Use)

Description Marian Rehak 2022-09-21 08:35:59 UTC
Changes between OpenSSL 1.x and OpenSSL 3.0 expose a flaw in named that causes a small memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

Comment 1 Marian Rehak 2022-09-21 12:42:34 UTC
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 2128699]


Created dhcp tracking bugs for this issue:

Affects: fedora-all [bug 2128700]


Note You need to log in before you can comment on or make changes to this bug.