May 18, 2022•Knowledge

Are BLOXONE, NIOS and NETMRI products vulnerable to CVE-2022-1183?

Summary
Infoblox products BLOXONE, NIOS and NETMRI are not vulnerable to CVE-2022-1183 .

An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early.

Overview
On May 18th, 2022 ISC announced a new vulnerability, CVE-2022-1183.

On BIND servers using DNS over HTTPs (DoH), an assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early.

Program impacted: BIND

Severity: High

Exploitable: Remotely

CVSS Score: 7.0

CVSS Vector: CVSS v3.1 Vector:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL/RC:C

Affected Versions
Infoblox BLOXONE, NIOS and NETMRI products are not impacted by this CVE. Infoblox products do not use the BIND implementation for DoT/DoH.

Impact
This CVE only affects BIND servers that are using DNS over HTTPS. On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to `http` within the `listen-on` statements in their `named.conf`. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected.

Workaround
No workaround is needed for Infoblox BLOXONE, NIOS and NETMRI products.

Resolution
No action is required for BLOXONE, NIOS or NETMRI products.