csaf_microsoft - msrc

msrc_cve-2022-0396

Vulnerability from csaf_microsoft

Published

2022-03-02 00:00

Modified

2022-03-30 00:00

Summary

DoS from specifically crafted TCP packets

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-0396 DoS from specifically crafted TCP packets - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-0396.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "DoS from specifically crafted TCP packets",
    "tracking": {
      "current_release_date": "2022-03-30T00:00:00.000Z",
      "generator": {
        "date": "2025-10-19T23:23:33.139Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-0396",
      "initial_release_date": "2022-03-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-03-30T00:00:00.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 bind 9.16.27-1",
                "product": {
                  "name": "\u003ccm1 bind 9.16.27-1",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 bind 9.16.27-1",
                "product": {
                  "name": "cm1 bind 9.16.27-1",
                  "product_id": "18759"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 bind 9.16.29-1",
                "product": {
                  "name": "\u003ccbl2 bind 9.16.29-1",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 bind 9.16.29-1",
                "product": {
                  "name": "cbl2 bind 9.16.29-1",
                  "product_id": "18760"
                }
              }
            ],
            "category": "product_name",
            "name": "bind"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 bind 9.16.27-1 as a component of CBL Mariner 1.0",
          "product_id": "16820-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 bind 9.16.27-1 as a component of CBL Mariner 1.0",
          "product_id": "18759-16820"
        },
        "product_reference": "18759",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 bind 9.16.29-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 bind 9.16.29-1 as a component of CBL Mariner 2.0",
          "product_id": "18760-17086"
        },
        "product_reference": "18760",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-0396",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "general",
          "text": "isc",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "18759-16820",
          "18760-17086"
        ],
        "known_affected": [
          "16820-2",
          "17086-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-0396 DoS from specifically crafted TCP packets - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-0396.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-03-30T00:00:00.000Z",
          "details": "9.16.27-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2022-03-30T00:00:00.000Z",
          "details": "9.16.29-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 5.3,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "16820-2",
            "17086-1"
          ]
        }
      ],
      "title": "DoS from specifically crafted TCP packets"
    }
  ]
}

CVE-2022-0396 (GCVE-0-2022-0396)

Vulnerability from cvelistv5

Published

2022-03-23 10:45

Modified

2024-09-16 19:05

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

ISC recently discovered an issue in BIND that allows TCP connection slots to be consumed for an indefinite time frame via a specifically crafted TCP stream sent from a client. This issue is present in BIND. BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. 9.16.11 to 9.16.26 (including S editions), and 9.18.0. This issue can only be triggered on BIND servers which have keep-response-order enabled, which is not the default configuration. The keep-response-order option is an ACL block; any hosts which are specified within it will be able to trigger this issue on affected versions. BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition.

Summary

BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.

References

URL

Tags

	https://kb.isc.org/v1/docs/cve-2022-0396
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYD7US4HZRFUGAJ66ZTHFBYVP5N3OQBY/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20220408-0001/
	https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
	https://security.gentoo.org/glsa/202210-25	vendor-advisory

Impacted products

	Vendor	Product	Version
	ISC	BIND	Version: Open Source Branch 9.16 9.16.11 through versions before 9.16.27 Version: Development Branch 9.17 BIND 9.17 all versions Version: Open Source Branch 9.18 9.18.0 Version: Supported Preview Branch 9.16-S 9.16.11-S through versions before 9.16.27-S

Show details on NVD website