{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2795", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "assignerShortName": "isc", "datePublished": "2022-09-21T10:15:25.796304Z", "dateUpdated": "2024-09-17T03:03:19.543Z", "dateReserved": "2022-08-12T00:00:00"}, "containers": {"cna": {"title": "Processing large delegations may severely degrade resolver performance", "datePublic": "2022-09-21T00:00:00", "providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2022-10-31T00:00:00"}, "descriptions": [{"lang": "en", "value": "By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service."}], "affected": [{"vendor": "ISC", "product": "BIND9", "versions": [{"version": "Open Source Branches 9.0 through 9.16 9.0.0 through versions before 9.16.33", "status": "affected"}, {"version": "Open Source Branch 9.18 9.18.0 through versions before 9.18.7", "status": "affected"}, {"version": "Supported Preview Branches 9.9-S through 9.11-S 9.9.3-S1 through versions up to and including 9.11.37-S1", "status": "affected"}, {"version": "Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1", "status": "affected"}, {"version": "Development Branch 9.19 9.19.0 through versions before 9.19.5", "status": "affected"}]}], "references": [{"url": "https://kb.isc.org/docs/cve-2022-2795"}, {"name": "[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2022/09/21/3"}, {"name": "DSA-5235", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5235"}, {"name": "FEDORA-2022-ef038365de", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/"}, {"name": "FEDORA-2022-8268735e06", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/"}, {"name": "FEDORA-2022-b197d64471", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/"}, {"name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3138-1] bind9 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html"}, {"name": "GLSA-202210-25", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-25"}], "credits": [{"lang": "en", "value": "ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "In BIND 9.0.0 -> 9.16.32, 9.18.0 -> 9.18.6, versions 9.9.3-S1 -> 9.11.37-S1, 9.16.8-S1 -> 9.16.32-S1 of the BIND Supported Preview Edition, and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, a flaw in resolver code can cause named to spend excessive amounts of time on processing large delegations."}]}], "source": {"discovery": "EXTERNAL"}, "workarounds": [{"lang": "en", "value": "No workarounds known."}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND: BIND 9.16.33, BIND 9.18.7, BIND 9.19.5, or for BIND Supported Preview Edition (a special feature preview branch of BIND provided to eligible ISC support customers): BIND 9.16.33-S1."}]}, "adp": [{"affected": [{"vendor": "isc", "product": "bind", "cpes": ["cpe:2.3:a:isc:bind:9.0.0:-:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.0.0", "status": "affected", "lessThanOrEqual": "9.16.32", "versionType": "custom"}]}, {"vendor": "isc", "product": "bind", "cpes": ["cpe:2.3:a:isc:bind:9.9.3:s1:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.9.3", "status": "affected", "lessThan": "9.11.37", "versionType": "custom"}]}, {"vendor": "isc", "product": "bind", "cpes": ["cpe:2.3:a:isc:bind:9.16.8:s1:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.16.8", "status": "affected", "lessThan": "9.16.32", "versionType": "custom"}]}, {"vendor": "isc", "product": "bind", "cpes": ["cpe:2.3:a:isc:bind:9.19.0:*:*:*:-:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "9.19.0", "status": "affected", "lessThan": "9.19.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-12T17:20:53.564264Z", "id": "CVE-2022-2795", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T19:41:53.934Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:46:04.433Z"}, "title": "CVE Program Container", "references": [{"url": "https://kb.isc.org/docs/cve-2022-2795", "tags": ["x_transferred"]}, {"name": "[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/09/21/3"}, {"name": "DSA-5235", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5235"}, {"name": "FEDORA-2022-ef038365de", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/"}, {"name": "FEDORA-2022-8268735e06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/"}, {"name": "FEDORA-2022-b197d64471", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/"}, {"name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3138-1] bind9 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html"}, {"name": "GLSA-202210-25", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-25"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://kb.isc.org/docs/cve-2022-2795", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2022/09/21/3", "name": "[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://www.debian.org/security/2022/dsa-5235", "name": "DSA-5235", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/", "name": "FEDORA-2022-ef038365de", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/", "name": "FEDORA-2022-8268735e06", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/", "name": "FEDORA-2022-b197d64471", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html", "name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3138-1] bind9 security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202210-25", "name": "GLSA-202210-25", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:46:04.433Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-2795", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-12T17:20:53.564264Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:isc:bind:9.0.0:-:*:*:*:*:*:*"], "vendor": "isc", "product": "bind", "versions": [{"status": "affected", "version": "9.0.0", "versionType": "custom", "lessThanOrEqual": "9.16.32"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:isc:bind:9.9.3:s1:*:*:*:*:*:*"], "vendor": "isc", "product": "bind", "versions": [{"status": "affected", "version": "9.9.3", "lessThan": "9.11.37", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:isc:bind:9.16.8:s1:*:*:*:*:*:*"], "vendor": "isc", "product": "bind", "versions": [{"status": "affected", "version": "9.16.8", "lessThan": "9.16.32", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:isc:bind:9.19.0:*:*:*:-:*:*:*"], "vendor": "isc", "product": "bind", "versions": [{"status": "affected", "version": "9.19.0", "lessThan": "9.19.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T19:41:49.408Z"}}], "cna": {"title": "Processing large delegations may severely degrade resolver performance", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat Bremler-Barr & Shani Stajnrod from Reichman University for bringing this vulnerability to our attention."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ISC", "product": "BIND9", "versions": [{"status": "affected", "version": "Open Source Branches 9.0 through 9.16 9.0.0 through versions before 9.16.33"}, {"status": "affected", "version": "Open Source Branch 9.18 9.18.0 through versions before 9.18.7"}, {"status": "affected", "version": "Supported Preview Branches 9.9-S through 9.11-S 9.9.3-S1 through versions up to and including 9.11.37-S1"}, {"status": "affected", "version": "Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1"}, {"status": "affected", "version": "Development Branch 9.19 9.19.0 through versions before 9.19.5"}]}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND: BIND 9.16.33, BIND 9.18.7, BIND 9.19.5, or for BIND Supported Preview Edition (a special feature preview branch of BIND provided to eligible ISC support customers): BIND 9.16.33-S1."}], "datePublic": "2022-09-21T00:00:00", "references": [{"url": "https://kb.isc.org/docs/cve-2022-2795"}, {"url": "http://www.openwall.com/lists/oss-security/2022/09/21/3", "name": "[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)", "tags": ["mailing-list"]}, {"url": "https://www.debian.org/security/2022/dsa-5235", "name": "DSA-5235", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/", "name": "FEDORA-2022-ef038365de", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/", "name": "FEDORA-2022-8268735e06", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/", "name": "FEDORA-2022-b197d64471", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html", "name": "[debian-lts-announce] 20221005 [SECURITY] [DLA 3138-1] bind9 security update", "tags": ["mailing-list"]}, {"url": "https://security.gentoo.org/glsa/202210-25", "name": "GLSA-202210-25", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "No workarounds known."}], "descriptions": [{"lang": "en", "value": "By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "In BIND 9.0.0 -> 9.16.32, 9.18.0 -> 9.18.6, versions 9.9.3-S1 -> 9.11.37-S1, 9.16.8-S1 -> 9.16.32-S1 of the BIND Supported Preview Edition, and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, a flaw in resolver code can cause named to spend excessive amounts of time on processing large delegations."}]}], "providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2022-10-31T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2022-2795", "state": "PUBLISHED", "dateUpdated": "2024-09-17T03:03:19.543Z", "dateReserved": "2022-08-12T00:00:00", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "datePublished": "2022-09-21T10:15:25.796304Z", "assignerShortName": "isc"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "6CF2AFF8-9D61-442F-98BE-C08FA09C2AD3", "versionEndExcluding": "9.16.33", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "BAE4B411-40F7-422D-8A5C-775ED1D00189", "versionEndExcluding": "9.18.7", "versionStartIncluding": "9.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "matchCriteriaId": "3E1EC206-AC11-4A7E-9723-C4F69FF76892", "versionEndExcluding": "9.19.5", "versionStartIncluding": "9.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.3:s1:*:*:*:supported_preview:*:*", "matchCriteriaId": "A01B5F4E-1F55-4DED-BF30-E0B436D8B965", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.3:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "40EE014B-0CD8-45F3-BEDB-AE6368A78B04", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.12:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "DAF8FA8C-0526-4389-AEC6-92AD62AA3929", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.9.13:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "1A9BA952-A5DF-4CBA-8928-0B373C013C32", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.5:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "CAD41122-C5D8-4256-8CB7-FF88DCD96A13", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.10.7:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "6243685F-1E5B-4FF6-AE1B-44798032FBA6", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.3:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "C2FE13E1-0646-46FC-875B-CB4C34E20101", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:s3:*:*:*:supported_preview:*:*", "matchCriteriaId": "B6F72F80-D178-4F6D-8D16-85C0DEEE275B", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:s3:*:*:supported_preview:*:*:*", "matchCriteriaId": "1AA16E51-819C-4A1B-B66E-1C60C1782C0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:s5:*:*:supported_preview:*:*:*", "matchCriteriaId": "91533F9F-C0E5-4E84-8A4C-F744F956BF97", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.5:s6:*:*:supported_preview:*:*:*", "matchCriteriaId": "46E6A4BD-D69B-4A70-821D-5612DD1315EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.6:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "8AF9D390-0D5B-4963-A2D3-BF1E7CD95E9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.7:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "AB2B92F1-6BA8-41CA-9000-E0633462CC28", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.8:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "02CA4635-7DFC-408E-A837-856E0F96CA1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.12:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "3CABCB08-B838-45F7-AA87-77C6B8767DD0", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.14-s1:*:*:*:preview:*:*:*", "matchCriteriaId": "FB597385-BCFD-4CDB-9328-B4F76D586E4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.19-s1:*:*:*:preview:*:*:*", "matchCriteriaId": "42C76CEF-FD0B-40A4-B246-A71F3EC72B29", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.21:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "5CC1F26C-4757-4C87-BD8B-2FA456A88C6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.27:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "582A4948-B64F-45D4-807A-846A85BB6B42", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.29:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "F22E7F6A-0714-480D-ACDF-5027FD6697B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.35:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "255AEB06-F071-4433-93E5-9436086C1A6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.11.37:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "EF14D712-5FCF-492F-BE3E-745109E9D6E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.8:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "288EAD80-574B-4839-9C2C-81D6D088A733", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.11:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "3595F024-F910-4356-8B5B-D478960FF574", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.13:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "94661BA2-27F8-4FFE-B844-9404F735579D", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.21:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "751E37C2-8BFD-4306-95C1-8C01CE495FA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:isc:bind:9.16.32:s1:*:*:supported_preview:*:*:*", "matchCriteriaId": "CC432820-F1A2-4132-A673-2620119553C5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service."}, {"lang": "es", "value": "Al inundar el resolvedor de destino con consultas que explotan este fallo, un atacante puede perjudicar significativamente el rendimiento del resolvedor, negando efectivamente a los clientes leg\u00edtimos el acceso al servicio de resoluci\u00f3n DNS"}], "id": "CVE-2022-2795", "lastModified": "2024-11-21T07:01:42.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-officer@isc.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-21T11:15:09.470", "references": [{"source": "security-officer@isc.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/09/21/3"}, {"source": "security-officer@isc.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://kb.isc.org/docs/cve-2022-2795"}, {"source": "security-officer@isc.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html"}, {"source": "security-officer@isc.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/"}, {"source": "security-officer@isc.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/"}, {"source": "security-officer@isc.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-25"}, {"source": "security-officer@isc.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5235"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/09/21/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://kb.isc.org/docs/cve-2022-2795"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4GQWBPF7Y52J2FA24U6UMHQAOXZEF7/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRHB6J4Z7BKH4HPEKG5D35QGRD6ANNMT/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YZJQNUASODNVAWZV6STKG5SD6XIJ446S/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-25"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5235"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Anat Bremler-Barr (Reichman University), Shani Stajnrod (Reichman University), and Yehuda Afek (Tel-Aviv University) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:0402", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "bind-32:9.11.4-26.P2.el7_9.13", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2023-01-24T00:00:00Z"}, {"advisory": "RHSA-2023:2792", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind9.16-32:9.16.23-0.14.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2023:3002", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2023:3002", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "bind-32:9.11.36-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:2720", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "bind-32:9.11.36-3.el8_6.7", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2720", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "dhcp-12:4.3.6-47.el8_6.2", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2023:2261", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "bind-32:9.16.23-11.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "bind: processing large delegations may severely degrade resolver performance", "id": "2128584", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128584"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-20->CWE-400", "details": ["By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service.", "A flaw was found in bind. When flooding the target resolver with special queries, an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service."], "name": "CVE-2022-2795", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-09-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2795\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2795\nhttps://kb.isc.org/docs/cve-2022-2795"], "threat_severity": "Moderate", "upstream_fix": "bind 9.16.33, bind 9.18.7, bind 9.19.5"}