{ "threat_severity" : "Important", "public_date" : "2022-09-21T00:00:00Z", "bugzilla" : { "description" : "bind: memory leaks in EdDSA DNSSEC verification code", "id" : "2128602", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2128602" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-401", "details" : [ "By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.", "A flaw was found in the Bind package, where the DNSSEC verification code for the EdDSA algorithm leaks memory when there is a signature length mismatch. By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak, resulting in crashing the program." ], "statement" : "This flaw affects versions 9.9.12 -> 9.16.32 of the Bind package, therefore Red Hat Enterprise Linux 6 is not affected.", "acknowledgement" : "Red Hat would like to thank Maksym Odinintsev for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2022-10-03T00:00:00Z", "advisory" : "RHSA-2022:6765", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "bind-32:9.11.4-26.P2.el7_9.10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-10-04T00:00:00Z", "advisory" : "RHSA-2022:6778", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "bind-32:9.11.36-3.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-10-04T00:00:00Z", "advisory" : "RHSA-2022:6781", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "bind9.16-32:9.16.23-0.7.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-10-04T00:00:00Z", "advisory" : "RHSA-2022:6778", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "bind-32:9.11.36-3.el8_6.1" }, { "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date" : "2022-10-03T00:00:00Z", "advisory" : "RHSA-2022:6764", "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", "package" : "bind-32:9.11.4-26.P2.el8_1.6" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date" : "2022-10-04T00:00:00Z", "advisory" : "RHSA-2022:6780", "cpe" : "cpe:/a:redhat:rhel_eus:8.2", "package" : "bind-32:9.11.13-6.el8_2.4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date" : "2022-10-04T00:00:00Z", "advisory" : "RHSA-2022:6779", "cpe" : "cpe:/a:redhat:rhel_eus:8.4", "package" : "bind-32:9.11.26-4.el8_4.1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-10-03T00:00:00Z", "advisory" : "RHSA-2022:6763", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "bind-32:9.16.23-1.el9_0.1" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date" : "2022-11-22T00:00:00Z", "advisory" : "RHSA-2022:8598", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package" : "redhat-virtualization-host-0:4.5.3-202211170828_8.6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "bind", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "dhcp", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-38178\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-38178\nhttps://kb.isc.org/docs/cve-2022-38178" ], "name" : "CVE-2022-38178", "csaw" : false }