CVE-2022-0635 - log back

CVE-2022-0635 edited at 05 Apr 2022 23:13:18
Severity
- Medium
+ High
CVE-2022-0635 edited at 05 Apr 2022 23:04:11
References
https://kb.isc.org/docs/cve-2022-0635
+ https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5988
+ https://gitlab.isc.org/isc-projects/bind9/-/commit/71dd44339f4cf616e514cefa1ac1794d7a14e7db
CVE-2022-0635 edited at 04 Apr 2022 23:54:35
Description
- When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check. The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled)
+ BIND 9.18.0 stable release refactored the RFC 8198 Aggressive Use of DNSSEC-Validated Cache feature (synth-from-dnssec) and changed the default so that is now automatically enabled for dnssec-validating resolvers. Subsequently it was found that repeated patterns of specific queries to servers with this feature enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly.
+
+ The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled) When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check.
CVE-2022-0635 edited at 04 Apr 2022 23:49:39
Notes
Workarounds:
The failure can be avoided by adding this option to named.conf:
-
synth-from-dnssec no;
However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random-subdomain attacks against DNSSEC-signed zones.
CVE-2022-0635 edited at 04 Apr 2022 23:49:19
Notes
+ Workarounds:
+
+ The failure can be avoided by adding this option to named.conf:
+
+ synth-from-dnssec no;
+
+ However we do not recommend disabling this feature other than as a temporary workaround because it provides protection from pseudo-random-subdomain attacks against DNSSEC-signed zones.
CVE-2022-0635 edited at 04 Apr 2022 23:48:28
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ When a vulnerable version of named receives a series of specific queries, the named process will eventually terminate due to a failed assertion check. The vulnerability affects BIND resolvers running 9.18.0 that have both dnssec-validation and synth-from-dnssec enabled. (Note that dnssec-validation auto; is the default setting unless configured otherwise in named.conf and that enabling dnssec-validation automatically enables synth-from-dnssec unless explicitly disabled)
References
+ https://kb.isc.org/docs/cve-2022-0635
Notes
CVE-2022-0635 created at 04 Apr 2022 23:46:35