CVE-2022-3736

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.16.12 through 9.16.36 BIND 9 versions 9.18.0 through 9.18.10 BIND 9 versions 9.19.0 through 9.19.8 BIND 9 versions 9.16.12-S1 through 9.16.36-S1

Description The issue is related to a flaw in the implementation of the stale-answer-client-timeout option, which can cause the BIND 9 resolver to crash when stale cache and stale answers are enabled and the resolver receives an RRSIG query. This can be exploited by a remote attacker to cause a denial of service. The issue is caused by insufficient input validation.

Recommendations For BIND 9 versions 9.16.12 through 9.16.36, update to a version outside of this range or apply a configuration change to disable the stale-answer-client-timeout option. For BIND 9 versions 9.18.0 through 9.18.10, update to a version outside of this range or apply a configuration change to disable the stale-answer-client-timeout option. For BIND 9 versions 9.19.0 through 9.19.8, update to a version outside of this range or apply a configuration change to disable the stale-answer-client-timeout option. For BIND 9 versions 9.16.12-S1 through 9.16.36-S1, update to a version outside of this range or apply a configuration change to disable the stale-answer-client-timeout option. As a temporary workaround, consider disabling the stale-answer-client-timeout option until a patch is available.