CVE-2022-3094

Published on: Not Yet Published

Last Modified on: 02/03/2023 06:24:00 PM UTC

CVE-2022-3094

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Bind from Isc contain the following vulnerability:

Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.

CVE-2022-3094 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
We are not aware of any active exploits.
Affected Vendor/Software: ISC - BIND 9 version = 9.16.0
Affected Vendor/Software: ISC - BIND 9 version = 9.18.0
Affected Vendor/Software: ISC - BIND 9 version = 9.19.0
Affected Vendor/Software: ISC - BIND 9 version = 9.16.8-S1

Vulnerability Patch/Work Around

No workarounds known.

CVSS3 Score: 7.5 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	NONE	HIGH

CVE References

Description	Tags ^ⓘ	Link
CVE-2022-3094: An UPDATE message flood may cause named to exhaust all	kb.isc.org text/html	MISC kb.isc.org/docs/cve-2022-3094

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

181506 Debian Security Update for bind9 (DSA 5329-1)
199135 Ubuntu Security Notification for Bind Vulnerabilities (USN-5827-1)
283653 Fedora Security Update for bind (FEDORA-2023-95d98f89a8)
283685 Fedora Security Update for bind (FEDORA-2023-a3d608daf4)
502648 Alpine Linux Security Update for bind
753669 SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:0341-1)
753700 SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:0427-1)
905375 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13196)
905378 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13204)
905654 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13196-1)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Isc	Bind	All	All	All	All
Application	Isc	Bind	9.16.11	s1	All	All
Application	Isc	Bind	9.16.13	s1	All	All
Application	Isc	Bind	9.16.14	s1	All	All
Application	Isc	Bind	9.16.21	s1	All	All
Application	Isc	Bind	9.16.32	s1	All	All
Application	Isc	Bind	9.16.36	s1	All	All
Application	Isc	Bind	9.16.8	s1	All	All

cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*:
cpe:2.3:a:isc:bind:9.16.11:s1:*:*:supported_preview:*:*:*:
cpe:2.3:a:isc:bind:9.16.13:s1:*:*:supported_preview:*:*:*:
cpe:2.3:a:isc:bind:9.16.14:s1:*:*:supported_preview:*:*:*:
cpe:2.3:a:isc:bind:9.16.21:s1:*:*:supported_preview:*:*:*:
cpe:2.3:a:isc:bind:9.16.32:s1:*:*:supported_preview:*:*:*:
cpe:2.3:a:isc:bind:9.16.36:s1:*:*:supported_preview:*:*:*:
cpe:2.3:a:isc:bind:9.16.8:s1:*:*:supported_preview:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@w4yh	速報性は丼 CVE-2022-3094, CVE-2022-3488, CVE-2022-3736, CVE-2022-3924	2023-01-25 15:03:23
@w4yh	CVE-2022-3094: An UPDATE message flood may cause named to exhaust all kb.isc.org/docs/cve-2022-…	2023-01-25 15:04:27
@ISCdotORG	We have just posted new BIND maintenance releases, which include fixes for these CVEs. - CVE-2022-3094 (… twitter.com/i/web/status/1…	2023-01-25 15:33:14
@w4yh	CVE-2022-3094 kb.isc.org/docs/cve-2022-… 9.16.0 -> 9.16.36 9.18.0 -> 9.18.10 9.19.0 -> 9.19.8 (Versions prior to 9.11.… twitter.com/i/web/status/1…	2023-01-25 15:38:41
@omokazuki	SIOSセキュリティブログを更新しました。 BIND 9の脆弱性情報(High: CVE-2022-3094, CVE-2022-3488, CVE-2022-3736, CVE-2022-3924)と新バージョン(9.16.3… twitter.com/i/web/status/1…	2023-01-25 17:08:16
@oss_security	ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924): Posted by Michał K… twitter.com/i/web/status/1…	2023-01-25 17:32:03
@teenigma_	oss-sec: ISC has disclosed three vulnerabilities in BIND 9 (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924) seclists.org/oss-sec/2023/q…	2023-01-25 17:44:17
@itit7777	BIND 9の脆弱性情報(High: CVE-2022-3094, CVE-2022-3488, CVE-2022-3736, CVE-2022-3924)と新バージョン(9.16.37, 9.18.11, 9.19.9 ) security.sios.jp/vulnerability/…	2023-01-25 18:05:11
@ipssignatures	The vuln CVE-2022-3094 has a tweet created 0 days ago and retweeted 10 times. twitter.com/ISCdotORG/stat… #pow1rtrtwwcve	2023-01-26 02:06:00
@OpenBSD_ports	[email protected] modified net/isc-bind: update to isc-bind-9.18.11 kb.isc.org/docs/cve-2022-… - An UPDATE message flood may caus… twitter.com/i/web/status/1…	2023-01-26 02:25:50
@OpenBSD_ports	OPENBSD_7_2 [email protected] modified net/isc-bind: update to isc-bind-9.18.11 kb.isc.org/docs/cve-2022-… - An UPDATE message fl… twitter.com/i/web/status/1…	2023-01-26 02:25:50
@OpenBSD_stable	OPENBSD_7_2 [email protected] modified net/isc-bind: update to isc-bind-9.18.11 kb.isc.org/docs/cve-2022-… - An UPDATE message fl… twitter.com/i/web/status/1…	2023-01-26 02:25:51
@ohhara_shiojiri	（緊急）BIND 9.xの脆弱性（メモリ不足の発生）について（CVE-2022-3094） jprs.jp/tech/security/…	2023-01-26 02:40:19
@JPRS_official	【注意喚起】（緊急）BIND 9.xの脆弱性（メモリ不足の発生）について（CVE-2022-3094） jprs.jp/tech/security/…	2023-01-26 02:45:07
@herohero2jp	BIND9 例によって穴が発見された。 CVE-2022-3094: 高（High） CVE-2022-3736: 高（High） CVE-2022-3924: 高（High） jprs.jp/tech/ #BIND9　#JPRS	2023-01-26 09:37:02
@ipssignatures	The vuln CVE-2022-3094 has a tweet created 0 days ago and retweeted 10 times. twitter.com/JPRS_official/… #pow1rtrtwwcve	2023-01-26 10:06:00
@CVEreport	CVE-2022-3094 : Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This,… twitter.com/i/web/status/1…	2023-01-26 21:28:33
/r/googlecloudupdates	March 06, 2023 GCP release notes	2023-03-07 01:00:20
/r/googlecloudupdates	March 17, 2023 GCP release notes	2023-03-18 01:00:10