CVE-2022-2795: 
NixOS vulnerability analysis and mitigation

CVE-2022-2795 is a vulnerability discovered in BIND (Berkeley Internet Name Domain), a DNS server implementation. The vulnerability was disclosed on September 21, 2022, affecting BIND versions 9.0.0 through 9.16.32, 9.18.0 through 9.18.6, and 9.19.0 through 9.19.4. The flaw was discovered by researchers Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod (Debian Security).

The vulnerability exists in the resolver code where processing large delegations can cause the named service to spend excessive amounts of time, significantly degrading resolver performance. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Ubuntu Security).

When successfully exploited, this vulnerability can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. The impact primarily affects the availability of the DNS resolution service, with no direct impact on confidentiality or integrity (NVD).

Multiple vendors have released patches to address this vulnerability. BIND versions have been updated to 9.16.33 and 9.18.7 to fix the issue. Various Linux distributions have also released security updates, including Debian (1:9.16.33-1~deb11u1), Ubuntu, and Fedora (Debian Security, Fedora Update).

The vulnerability was publicly disclosed along with five other BIND vulnerabilities on September 21, 2022, leading to coordinated responses from multiple vendors and Linux distributions. The security community responded promptly with patches and updates being made available across various platforms (OSS Security).