Description:

ISC has released a security update to fix the vulnerabilities in BIND.  The details of the security update can be found at:

• https://kb.isc.org/v1/docs/cve-2021-25220
• https://kb.isc.org/v1/docs/cve-2022-0396
• https://kb.isc.org/v1/docs/cve-2022-0635
• https://kb.isc.org/v1/docs/cve-2022-0667

Please note that some versions including BIND 9.13 and BIND 9.15 have reached End-Of-Life (EOL).  No security updates will be provided.  Users should arrange upgrading the BIND to the latest supported versions or migrating to other supported technology.

Affected Systems:

• BIND 9.11.0 to 9.11.36
• BIND 9.12.0 to 9.16.26
• BIND 9.17.0 to 9.18.0
• BIND 9.11.4-S1 to 9.11.36-S1
• BIND 9.16.8-S1 to 9.16.26-S1

Impact:

Successful exploitation of the vulnerabilities could lead to denial of service or spoofing on an affected system.

Recommendation:

Internet Systems Consortium (ISC) has released the following patches to solve the problems:

• BIND 9.11.37
• BIND 9.16.27
• BIND 9.18.1
• BIND 9.11.37-S1
• BIND 9.16.27-S1

The patches can be downloaded at the following URLs:

https://www.isc.org/download/

Administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

More Information:

• https://kb.isc.org/v1/docs/cve-2021-25220
• https://kb.isc.org/v1/docs/cve-2022-0396
• https://kb.isc.org/v1/docs/cve-2022-0635
• https://kb.isc.org/v1/docs/cve-2022-0667
• https://downloads.isc.org/isc/bind9/9.11.37/RELEASE-NOTES-bind-9.11.37.html
• https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html
• https://downloads.isc.org/isc/bind9/9.18.1/doc/arm/html/notes.html
• https://www.hkcert.org/security-bulletin/isc-bind-multiple-vulnerabilities_20220317
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0396
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0635
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0667