{
  "threat_severity" : "Important",
  "public_date" : "2022-09-21T00:00:00Z",
  "bugzilla" : {
    "description" : "bind: memory leak in ECDSA DNSSEC verification code",
    "id" : "2128601",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2128601"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-401",
  "details" : [ "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.", "A flaw was found in the Bind package. By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak, resulting in crashing the program." ],
  "statement" : "This flaw affects versions 9.8.4 -> 9.16.32 of the Bind package, therefore Red Hat Enterprise Linux 6 is not affected.",
  "acknowledgement" : "Red Hat would like to thank Maksym Odinintsev for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2022-10-03T00:00:00Z",
    "advisory" : "RHSA-2022:6765",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "bind-32:9.11.4-26.P2.el7_9.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-10-04T00:00:00Z",
    "advisory" : "RHSA-2022:6778",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "bind-32:9.11.36-3.el8_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-10-04T00:00:00Z",
    "advisory" : "RHSA-2022:6781",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "bind9.16-32:9.16.23-0.7.el8_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-10-04T00:00:00Z",
    "advisory" : "RHSA-2022:6778",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "bind-32:9.11.36-3.el8_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions",
    "release_date" : "2022-10-03T00:00:00Z",
    "advisory" : "RHSA-2022:6764",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.1",
    "package" : "bind-32:9.11.4-26.P2.el8_1.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2022-10-04T00:00:00Z",
    "advisory" : "RHSA-2022:6780",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "bind-32:9.11.13-6.el8_2.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support",
    "release_date" : "2022-10-04T00:00:00Z",
    "advisory" : "RHSA-2022:6779",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.4",
    "package" : "bind-32:9.11.26-4.el8_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-10-03T00:00:00Z",
    "advisory" : "RHSA-2022:6763",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "bind-32:9.16.23-1.el9_0.1"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-22T00:00:00Z",
    "advisory" : "RHSA-2022:8598",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "redhat-virtualization-host-0:4.5.3-202211170828_8.6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "bind",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dhcp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-38177\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38177\nhttps://kb.isc.org/docs/cve-2022-38177" ],
  "name" : "CVE-2022-38177",
  "csaw" : false
}