The Internet Systems Consortium (ISC) has published four advisories to address high severity vulnerabilities in its Berkeley Internet Name Domain (BIND) 9. All of the flaws affect the named BIND9 daemon, which is an authoritative name server and a recursive resolver.
Note
- The fix is to update to the patched version of BIND 9 most closely related to the version. you’re running. 9.16.37, 9.18.11 or 9.19.9. If you’re not sure talk to your DNS team. While you can set the stale-answer-climate-timeout to 0, off or disabled to mitigate two of the vulnerabilities, to get all three you have to update. If you’re still on BIND 9.11, read the alerts carefully to determine your risk.
- Those of you who had January in the “First critical BIND vulnerability found” 2023 betting pool can collect your winnings! The good news is only denial of service impacts in this batch.
Read more in
- CVE-2022-3094: An UPDATE message flood may cause named to exhaust all available memory
- CVE-2022-3488: BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries
- CVE-2022-3736: named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries
- CVE-2022-3924: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
- BIND 9 Security Vulnerability Matrix
