CVE-2022-3736

Summary

BIND 9 resolver can crash when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to a positive integer, and the resolver receives an RRSIG query. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.16.12 <= 9.16.36affected
ISCBIND 99.18.0 <= 9.18.10affected
ISCBIND 99.19.0 <= 9.19.8affected
ISCBIND 99.16.12-S1 <= 9.16.36-S1affected

Weaknesses

  • n/a

Workarounds

Setting stale-answer-client-timeout to 0 or to off/disabled will prevent BIND from crashing due to this issue.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References