Lucene search

K
mageiaGentoo FoundationMGASA-2022-0388
HistoryOct 24, 2022 - 1:48 a.m.

Updated bind packages fix security vulnerability

2022-10-2401:48:35
Gentoo Foundation
advisories.mageia.org
31
bind
packages
security
vulnerability
resolver
performance
dns
spoofing
ecdsa
memory leak
cve-2022-2795
cve-2022-38177
cve-2022-38178
unix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

75.2%

By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver’s performance, effectively denying legitimate clients access to the DNS resolution service. (CVE-2022-2795) By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. (CVE-2022-38177, CVE-2022-38178)

OSVersionArchitecturePackageVersionFilename
Mageia8noarchbind< 9.11.37-1.1bind-9.11.37-1.1.mga8

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

75.2%