"BIND Updates Patch High-Severity Vulnerabilities"

The Internet Systems Consortium (ISC) recently announced the availability of patches for six vulnerabilities in the widely deployed BIND DNS software.  Of the resolved security flaws, four have a severity rating of "high." All four flaws with a high severity rating could be exploited to cause a denial-of-service (DoS) condition.  CVE-2022-2906 is a memory leak issue impacting "key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions".  The company noted that a remote attacker could exploit the bug to gradually erode available memory, leading to a crash.  The second flaw discovered is tracked as CVE-2022-3080.  The second flaw may result in a crash of the BIND 9 resolver under certain conditions when crafted queries are sent to the resolver.  The other vulnerability, CVE-2022-38177, is a memory leak issue in the DNSSEC verification code for the ECDSA algorithm, which can be triggered by a signature length mismatch.  The fourth high-severity bug addressed in BIND 9 is CVE-2022-38178, a memory leak impacting the DNSSEC verification code for the EdDSA algorithm, which can be triggered with malformed ECDSA signatures.  The company noted that updates were released for BIND 9.18 (stable branch), BIND 9.19 (development version), and BIND 9.16 (Extended Support Version).  ISC says it's not aware of any public exploits targeting these vulnerabilities.

SecurityWeek reports: "BIND Updates Patch High-Severity Vulnerabilities"