CVE-2022-0396 - log back

CVE-2022-0396 edited at 05 Apr 2022 23:02:15
References
https://kb.isc.org/docs/cve-2022-0396
+ https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5987
+ https://gitlab.isc.org/isc-projects/bind9/-/commit/ae7fa0a3082d1b97b1123a96a78fbbe39d525be5
CVE-2022-0396 edited at 05 Apr 2022 23:00:34
References
- https://kb.isc.org/v1/docs/cve-2022-0396
+ https://kb.isc.org/docs/cve-2022-0396
CVE-2022-0396 edited at 05 Apr 2022 22:45:56
References
+ https://kb.isc.org/v1/docs/cve-2022-0396
CVE-2022-0396 edited at 04 Apr 2022 23:52:15
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ ISC recently discovered an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue is present in BIND 9.16.11 to 9.16.26 (including S editions), and 9.18.0.
+
+ This issue can only be triggered on BIND servers which have keep-response-order enabled, which is not the default configuration. The keep-response-order option is an ACL block; any hosts which are specified within it will be able to trigger this issue on affected versions. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.
References
Notes
+ Workarounds:
+
+ To mitigate this issue in all affected versions of BIND, use the default setting of keep-response-order { none; }.
CVE-2022-0396 created at 04 Apr 2022 23:46:35