CVE-2022-3080: 
NixOS vulnerability analysis and mitigation

CVE-2022-3080 is a vulnerability in ISC BIND (Berkeley Internet Name Domain) DNS server implementation that was discovered in September 2022. The vulnerability affects BIND versions 9.16.14 through 9.16.32, 9.18.0 through 9.18.6, 9.19.0 through 9.19.4, and 9.16.14-S1 through 9.16.32-S1. When specific queries are sent to the resolver with stale cache and stale answers enabled with a zero stale-answer-timeout, an attacker can cause the named service to crash (ISC KB, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, and primarily impacts system availability (NetApp Advisory).

Successful exploitation of this vulnerability leads to a denial of service condition through the crash of the named daemon. The vulnerability specifically affects BIND resolvers configured to answer from stale cache with zero stale-answer-timeout, which can result in unexpected termination of the service (Debian Advisory).

The vulnerability has been fixed in BIND version 9.16.33 and later releases. Organizations are advised to upgrade to the patched versions. Multiple vendors have released security updates to address this vulnerability, including Debian (version 1:9.16.33-1~deb11u1), Fedora, and others (Debian Advisory, Gentoo Advisory).