CVE-2022-3094

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-3094
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-01-26 21:15:00 UTC
Updated2023-11-07 03:50:00 UTC
DescriptionSending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately upon rejection. The scope of this vulnerability is limited therefore to trusted clients who are permitted to make dynamic zone changes. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. BIND 9.11 and earlier branches are also affected, but through exhaustion of internal resources rather than memory constraints. This may reduce performance but should not be a significant problem for most servers. Therefore we don't intend to address this for BIND versions prior to BIND 9.16. This issue affects BIND 9 versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1.

Risk And Classification

Problem Types: CWE-416

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Isc Bind All All All All
Application Isc Bind 9.16.11 s1 All All
Application Isc Bind 9.16.13 s1 All All
Application Isc Bind 9.16.14 s1 All All
Application Isc Bind 9.16.21 s1 All All
Application Isc Bind 9.16.32 s1 All All
Application Isc Bind 9.16.36 s1 All All
Application Isc Bind 9.16.8 s1 All All

References

ReferenceSourceLinkTags
CVE-2022-3094: An UPDATE message flood may cause named to exhaust all MISC kb.isc.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 15134 ISC BIND Buffer Overflow Vulnerability (CVE-2022-3094)
  • 160610 Oracle Enterprise Linux Security Update for bind (ELSA-2023-2261)
  • 160671 Oracle Enterprise Linux Security Update for bind9.16 (ELSA-2023-2792)
  • 161182 Oracle Enterprise Linux Security Update for bind (ELSA-2023-7177)
  • 181506 Debian Security Update for bind9 (DSA 5329-1)
  • 184913 Debian Security Update for bind9 (CVE-2022-3094)
  • 199135 Ubuntu Security Notification for Bind Vulnerabilities (USN-5827-1)
  • 241422 Red Hat Update for bind (RHSA-2023:2261)
  • 241500 Red Hat Update for bind9.16 (RHSA-2023:2792)
  • 242433 Red Hat Update for bind (RHSA-2023:7177)
  • 243080 Red Hat Update for bind (RHSA-2024:1406)
  • 283653 Fedora Security Update for bind (FEDORA-2023-95d98f89a8)
  • 283685 Fedora Security Update for bind (FEDORA-2023-a3d608daf4)
  • 284281 Fedora Security Update for bind (FEDORA-2023-f1accd4b37)
  • 330142 IBM AIX Denial of Service (DoS) ISC BIND Vulnerability (bind_advisory23)
  • 355145 Amazon Linux Security Advisory for bind : ALAS2023-2023-161
  • 502648 Alpine Linux Security Update for bind
  • 502710 Alpine Linux Security Update for bind
  • 672936 EulerOS Security Update for bind (EulerOS-SA-2023-1776)
  • 672958 EulerOS Security Update for bind (EulerOS-SA-2023-1754)
  • 753669 SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:0341-1)
  • 753700 SUSE Enterprise Linux Security Update for bind (SUSE-SU-2023:0427-1)
  • 905375 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13196)
  • 905378 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13204)
  • 905654 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13196-1)
  • 906567 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13196-3)
  • 907288 Common Base Linux Mariner (CBL-Mariner) Security Update for bind (13204-1)
  • 941004 AlmaLinux Security Update for bind (ALSA-2023:2261)
  • 941073 AlmaLinux Security Update for bind9.16 (ALSA-2023:2792)
  • 941438 AlmaLinux Security Update for bind (ALSA-2023:7177)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report