CVE-2022-2906

Опубликовано: 21 сент. 2022

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

A flaw was found in the Bind package, where a flaw in ‘named’ can cause a small memory leak in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions. This flaw allows an attacker to gradually erode available memory to the point where ‘named’ crashes due to a lack of resources.

Отчет

This flaw only affects versions BIND-9.18.0 and higher, whereas Red Hat ships BIND-9.16 and lower versions. Therefore, versions of BIND shipped with Red Hat Products are not affected by this flaw.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 6	bind	Not affected
Red Hat Enterprise Linux 7	bind	Not affected
Red Hat Enterprise Linux 8	bind	Not affected
Red Hat Enterprise Linux 8	bind9.16	Not affected
Red Hat Enterprise Linux 9	bind	Not affected
Red Hat Enterprise Linux 9	dhcp	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-401

https://bugzilla.redhat.com/show_bug.cgi?id=2128598bind: memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs

EPSS

Процентиль: 42%

0.00192

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2022-2906

CVSS3: 7.5

ubuntu

больше 2 лет назад

CVE-2022-2906

CVSS3: 7.5

nvd

больше 2 лет назад

CVE-2022-2906

CVSS3: 7.5

debian

больше 2 лет назад

An attacker can leverage this flaw to gradually erode available memory ...

GHSA-pqxc-54m5-8r8m

CVSS3: 7.5

github

больше 2 лет назад

BDU:2022-06070

CVSS3: 7.5

fstec

почти 3 года назад

Уязвимость реализации алгоритма Диффи-Хеллмана сервера DNS BIND, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 42%

0.00192

Низкий

7.5 High

CVSS3