Bugzilla – Bug 1199619
VUL-0: CVE-2022-1183: bind: Destroying a TLS session early causes assertion failure
Last modified: 2022-09-16 13:09:23 UTC
From distros mailing list
To the packagers and redistributors of BIND 9:
ISC would like to make you aware of an upcoming security disclosure,
scheduled for Wednesday May 18, 2022, covering one high-severity
BIND vulnerability. Please consider this information confidential
and under embargo until ISC publicly announces the vulnerability
on the disclosure date.
CVE-2022-1183 affects only two branches of BIND, but all publicly
released versions of BIND from these two branches are vulnerable:
- BIND 9.18 branch - Current-Stable
- BIND 9.19 branch - Development/Experimental
No released versions in the 9.16 branch (Current-Stable, ESV) are affected
Although updated packages should not be released until ISC discloses
this vulnerability on the 18th, early access is being provided to
the May maintenance releases of BIND so that packagers can have
updated offerings available quickly after public disclosure.
Maintainers who prefer to selectively choose which fixes to apply can
find a vulnerability-specific patch diff in the "patches" subdirectory
of the release directories listed below (for the affected open-source
production branches of BIND 9)
New releases of BIND that correct the vulnerabilities AND include
other fixes and feature changes added for the May maintenance
releases are available via:
- The BIND 9.16 branch is not affected by CVE-2022-1183 and does
not require early access to a replacement release at this time,
though a normal maintenance release (BIND 9.16.29) containing other
bug fixes will be available on the 18th at the time of public
(for ISC Security Officer)
CVE-2022-1183: Destroying a TLS session early causes assertion failure
Document version: 1.0
Posting date: 18 May 2022
Program impacted: BIND
Versions affected: BIND 9.18.0 -> 9.18.2 and 9.19.0 of the BIND 9.19
An assertion failure can be triggered if a TLS connection to a
configured http TLS listener with a defined endpoint is destroyed too
On vulnerable configurations, the named daemon may, in some
circumstances, terminate with an assertion failure. Vulnerable
configurations are those that include a reference to `http` within
the `listen-on` statements in their `named.conf`. TLS is used by both
DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using
DoT alone are unaffected.
CVSS Score: 7.0
CVSS Vector: CVSS v3.1 Vector:
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
No workarounds known.
We are not aware of any active exploits.
Upgrade to the patched release most closely related to your current
version of BIND:
BIND 9.18.3 (Current Stable)
BIND 9.19.1 (Development)
Acknowledgments: ISC would like to thank Thomas Amgarten from arcade
solutions ag for for discovering and reporting this issue.
Document revision history:
1.0 Early Notification, 11 May 2022
See our BIND 9 Security Vulnerability Matrix for a complete listing of
security vulnerabilities and versions affected.
Do you still have questions? Questions regarding this advisory should
go to email@example.com. To report a new issue, please encrypt
your message using firstname.lastname@example.org's PGP key which can be
found here: https://www.isc.org/pgpkey/. If you are unable to use
encrypted email, you may also report new issues at:
ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see:
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can be
found in the ISC Software Defect and Security Vulnerability Disclosure
Policy at https://kb.isc.org/docs/aa-00861.
The Knowledgebase article https://kb.isc.org/docs/cve-2022-1183 is the
complete and official security advisory document.
Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied warranty
of merchantability, fitness for a particular purpose, absence of
hidden defects, or of non-infringement. Your use or reliance on this
notice or materials referred to in this notice is at your own risk.
ISC may change this notice at any time. A stand-alone copy or
paraphrase of the text of this document that omits the document URL is
an uncontrolled copy. Uncontrolled copies may lack important
information, be out of date, or contain factual errors.
Fixed with https://build.opensuse.org/request/show/978142
This is an autogenerated message for OBS integration:
This bug (1199619) was mentioned in
https://build.opensuse.org/request/show/980817 Factory / bind