[ad_1]
The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could lead to a denial of service (DoS) condition. Did.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory released on Friday that “remote attackers could exploit these vulnerabilities to cause a denial of service condition or system failure. ‘ said.
According to the company’s website, this open-source software is used by major financial institutions, domestic and international carriers, Internet Service Providers (ISPs), retailers, manufacturers, educational institutions, and government agencies.
All four flaws exist in the BIND9 service, which acts as an authoritative nameserver for a fixed set of DNS zones, or named, which acts as a recursive resolver for clients on the local network.
Here is a list of bugs rated 7.5 on the CVSS scoring system:
- CVE-2022-3094 – A flood of UPDATE messages can cause named to exhaust all available memory
- CVE-2022-3488 – Processing ECS options in repeated responses to iterative queries may terminate the specified BIND support preview editions unexpectedly
- CVE-2022-3736 – Named configured to respond from old cache may exit unexpectedly while processing RRSIG queries
- CVE-2022-3924 – Named configured to respond from stale cache may terminate unexpectedly with soft quota for recursive clients
Successful exploitation of the vulnerability may cause the specified service to crash or exhaust available memory on the target server.
This issue affects versions 9.16.0 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.8-S1 through 9.16.36-S1. CVE-2022-3488 also affects Preview Edition versions 9.11.4-S1 through 9.11.37-S1 for BIND. These issues are resolved in versions 9.16.37, 9.18.11, 9.19.9, and 9.16.37-S1.
Although there is no evidence of any of these vulnerabilities being actively exploited, we recommend upgrading to the latest version as soon as possible to mitigate potential threats.
[ad_2]
Source link