CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS
Percentile
75.3%
Medium
Canonical Ubuntu
Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod discovered that Bind incorrectly handled large delegations. A remote attacker could possibly use this issue to reduce performance, leading to a denial of service. (CVE-2022-2795) It was discovered that Bind incorrectly handled statistics requests. A remote attacker could possibly use this issue to obtain sensitive memory contents, or cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2881) It was discovered that Bind incorrectly handled memory when processing certain Diffie-Hellman key exchanges. A remote attacker could use this issue to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2906) Maksym Odinintsev discovered that Bind incorrectly handled answers from cache when configured with a zero stale-answer-timeout. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-3080) It was discovered that Bind incorrectly handled memory when processing ECDSA DNSSEC verification. A remote attacker could use this issue to consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2022-38177) It was discovered that Bind incorrectly handled memory when processing EDDSA DNSSEC verification. A remote attacker could use this issue to consume resources, leading to a denial of service. (CVE-2022-38178) Update Instructions: Run sudo ua fix USN-5626-1
to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: dnsutils – 1:9.11.3+dfsg-1ubuntu1.18 libbind-dev – 1:9.11.3+dfsg-1ubuntu1.18 libirs-export160 – 1:9.11.3+dfsg-1ubuntu1.18 bind9utils – 1:9.11.3+dfsg-1ubuntu1.18 libbind9-160 – 1:9.11.3+dfsg-1ubuntu1.18 libisccc160 – 1:9.11.3+dfsg-1ubuntu1.18 libisc-export169 – 1:9.11.3+dfsg-1ubuntu1.18 libisccfg160 – 1:9.11.3+dfsg-1ubuntu1.18 bind9-doc – 1:9.11.3+dfsg-1ubuntu1.18 libbind-export-dev – 1:9.11.3+dfsg-1ubuntu1.18 libisc169 – 1:9.11.3+dfsg-1ubuntu1.18 libirs160 – 1:9.11.3+dfsg-1ubuntu1.18 libdns-export1100 – 1:9.11.3+dfsg-1ubuntu1.18 libisccc-export160 – 1:9.11.3+dfsg-1ubuntu1.18 libisccfg-export160 – 1:9.11.3+dfsg-1ubuntu1.18 liblwres160 – 1:9.11.3+dfsg-1ubuntu1.18 libdns1100 – 1:9.11.3+dfsg-1ubuntu1.18 bind9 – 1:9.11.3+dfsg-1ubuntu1.18 bind9-host – 1:9.11.3+dfsg-1ubuntu1.18 No subscription required
CVEs contained in this USN include: CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178.
Severity is medium unless otherwise noted.
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
2022-10-28: Initial vulnerability report published.
Vendor | Product | Version | CPE |
---|---|---|---|
cloudfoundry | bionic_stemcells | * | cpe:2.3:a:cloudfoundry:bionic_stemcells:*:*:*:*:*:*:*:* |
cloudfoundry | cflinuxfs3 | * | cpe:2.3:a:cloudfoundry:cflinuxfs3:*:*:*:*:*:*:*:* |
cloudfoundry | cf-deployment | * | cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:* |