The Internet Systems Consortium (ISC) has released new security updates that fix four High risk vulnerabilities in multiple versions of ISC Berkeley Internet Name Domain (BIND).
BIND is the most widely used Domain Name System software on the Internet.
ISC patched the following High severity vulnerabilities in all (along with CVSS score):
- CVE-2022-3094: An UPDATE message flood may cause named to exhaust all available memory (CVSS 7.5)
- CVE-2022-3488: BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries (CVSS 7.5)
- CVE-2022-3736: named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries (CVSS 7.5)
- CVE-2022-3924: named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota (CVSS 7.5).
Multiple versions of BIND 9 are affected. ISC is not aware of any active exploits.