Reachable Assertion Affecting bind9 package, versions <1:9.16.37-1~deb11u1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.09% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN11-BIND9-3248399
  • published26 Jan 2023
  • disclosed26 Jan 2023

Introduced: 26 Jan 2023

CVE-2022-3924  (opens in a new tab)
CWE-617  (opens in a new tab)

How to fix?

Upgrade Debian:11 bind9 to version 1:9.16.37-1~deb11u1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream bind9 package and not the bind9 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

This issue can affect BIND 9 resolvers with stale-answer-enable yes; that also make use of the option stale-answer-client-timeout, configured with a value greater than zero.

If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM recursive-clients limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.

CVSS Scores

version 3.1