CVE-2022-3924

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.16.12 through 9.16.36 BIND 9 versions 9.18.0 through 9.18.10 BIND 9 versions 9.19.0 through 9.19.8 BIND 9 versions 9.16.12-S1 through 9.16.36-S1

Description This issue can affect BIND 9 resolvers with stale-answer-enable yes; that also make use of the option stale-answer-client-timeout, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client, then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure.

Recommendations For BIND 9 versions 9.16.12 through 9.16.36, consider disabling the stale-answer-enable option or setting stale-answer-client-timeout to zero as a temporary workaround. For BIND 9 versions 9.18.0 through 9.18.10, consider disabling the stale-answer-enable option or setting stale-answer-client-timeout to zero as a temporary workaround. For BIND 9 versions 9.19.0 through 9.19.8, consider disabling the stale-answer-enable option or setting stale-answer-client-timeout to zero as a temporary workaround. For BIND 9 versions 9.16.12-S1 through 9.16.36-S1, consider disabling the stale-answer-enable option or setting stale-answer-client-timeout to zero as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.