Skip to content

[CVE-2022-2906] Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only)

Incident Tracking

isc-private/bind9#56

CVE-specific actions

  • Assign a CVE identifier: CVE-2022-2906
  • Determine CVSS score: 7.5
  • Determine the range of BIND versions affected (including the Subscription Edition)
  • Determine whether workarounds for the problem exists: (use a method other than DH for TKEY)
  • Create a draft of the security advisory and put the information above in there
  • Prepare a detailed description of the problem which should include the following by default:
    • instructions for reproducing the problem (a system test is good enough): see below
    • explanation of code flow which triggers the problem (a system test is not good enough):
  • Prepare a private merge request containing the following items in separate commits:
    • a test for the issue (may be moved to a separate merge request for deferred merging): reproduction instructions below, it appears this is a current test case.
    • a fix for the issue: Fix
    • documentation updates (CHANGES, release notes, anything else applicable): Release Note, Changes
  • Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
  • Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
  • Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
  • Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch

Release-specific actions

  • Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
  • Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
  • Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

Post-disclosure actions

  • Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches

Summary

CVSS v3.1 Vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5

BIND version used

Affects 9.18.0+, 9.19.0+

LeakSanitizer detected memory leaks on Fedora 36 with GCC 12.1.1 in dst_test in job #2692507.

Prerequisite for Fedora 36 (!6297 (merged)).

Edited by Michał Kępień
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information