CVE-2022-3094

CWE-416Use After FreeCWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation10 documents8 sources
Severity
7.5HIGH
EPSS
1.7%
top 17.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ISC BindISC Bind 9
Timeline
PublishedJan 26

Description

Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory. This, in turn, may cause `named` to exit due to a lack of free memory. We are not aware of any cases where this has been exploited. Memory is allocated prior to the checking of access permissions (ACLs) and is retained during the processing of a dynamic update from a client whose access credentials are accepted. Memory allocated to clients that are not permitted to send updates is released immediately

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDisc/bind9.16.09.16.37+9
Alpinebind< 9.16.37-r0+9
Debianbind9< 1:9.16.37-1~deb11u1+3
Ubuntubind9< 1:9.16.1-0ubuntu2.12+1
CVEListV5isc/bind_99.16.09.16.36+3

🔴Vulnerability Details

5
OSV
CVE-2022-3094: Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory2023-01-26
OSV
CVE-2022-3094: Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory2023-01-26
GHSA
GHSA-8f7f-g9cj-hq6g: Sending a flood of dynamic DNS updates may cause `named` to allocate large amounts of memory2023-01-26
CVEList
An UPDATE message flood may cause named to exhaust all available memory2023-01-25
OSV
bind9 vulnerabilities2023-01-25

📋Vendor Advisories

4
Ubuntu
Bind vulnerabilities2023-01-25
Red Hat
bind: flooding with UPDATE requests may lead to DoS2023-01-25
Microsoft
An UPDATE message flood may cause named to exhaust all available memory2023-01-10
Debian
CVE-2022-3094: bind9 - Sending a flood of dynamic DNS updates may cause `named` to allocate large amoun...2022