This week, the widely used BIND DNS software had six remotely exploitable vulnerabilities that could all be fixed, according to the Internet Systems Consortium (ISC). Four of the security flaws that have been fixed have a severity rating of “high.”
All four of these vulnerabilities could be used to create a DoS situation. ISC’s advisory describes the first of these as CVE-2022-2906, a memory leak problem that affects “key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions.” The second flaw, identified as CVE-2022-3080, may, in some circumstances, cause the BIND 9 resolver to crash when specially crafted queries are sent to the resolver.
According to ISC, CVE-2022-38177 is a memory leak problem that can be brought on by a mismatch in the signature length in the DNSSEC verification code for the ECDSA algorithm.