BIND named Crash via Resolver Query (CVE-2022-3080)
CVE-2022-3080 Published on September 21, 2022
BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly
By sending specific queries to the resolver, an attacker can cause named to crash.
Vulnerability Analysis
CVE-2022-3080 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Products Associated with CVE-2022-3080
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-3080 are published in these products:
Affected Versions
ISC BIND9:- Version Open Source Branch 9.16 9.16.14 through versions before 9.16.33 is affected.
- Version Open Source Branch 9.18 9.18.0 through versions before 9.18.7 is affected.
- Version Supported Preview Branch 9.16-S 9.16.14-S1 through versions before 9.16.33-S1 is affected.
- Version Development Branch 9.19 9.19.0 through versions before 9.19.5 is affected.
- Version 35 is affected.
- Version 36 is affected.
- Version 37 is affected.
- Version 9.16.14 and below 9.16.33 is affected.
- Version 9.16.14 is affected.
- Version 9.16.21 is affected.
- Version 9.16.32 is affected.
- Version 9.18.0 and below 9.18.7 is affected.
- Version 9.19.0 and below 9.19.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.