Bug 2213279 (CVE-2023-3153)
| Summary: | CVE-2023-3153 ovn: service monitor MAC flow is not rate limited | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amusil, carnil, ctrautma, dfreiber, dsankartce, echaudro, eglynn, fleitner, jburrell, jiji, jjoyce, lhh, mburns, mgarciac, ovnteam, ralongi, rkhan, rogbas, spower, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ovn 22.03.3, ovn 22.09.2, ovn 22.12.1, ovn 23.03.1, ovn 23.06.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2211021, 2213285, 2213286, 2213287, 2213288, 2213289, 2213290, 2213291, 2213292, 2213293, 2213294, 2213295, 2213296, 2213297, 2213298, 2213299, 2213300 | ||
| Bug Blocks: | 2211082 | ||
Created ovn tracking bugs for this issue: Affects: fedora-all [bug 2213285] Is there any further public information on this issue? Is it reported upstream at https://github.com/ovn-org/ovn and/or does a upstream fix exists? I'm trying to get more information on CVE-2023-3153 for our tracking downstream in Debian about it. In reply to comment #5: > Is there any further public information on this issue? Is it reported > upstream at https://github.com/ovn-org/ovn and/or does a upstream fix > exists? > > I'm trying to get more information on CVE-2023-3153 for our tracking > downstream in Debian about it. Hey there, there isn't much more information at this time. I'll update this bug with more information as it becomes available. Hello team, Is this issue a valid one ? we could not see any bugs filed on https://github.com/ovn-org/ovn. Can you update more information on this issue ? IMO, if there isn't much information at this time, we can proceed to report it to OVN community and check whether it could be possible threat. Thanks Duraisankar In reply to comment #7: > Hello team, > > Is this issue a valid one ? we could not see any bugs filed on > https://github.com/ovn-org/ovn. > > Can you update more information on this issue ? > > IMO, if there isn't much information at this time, we can proceed to report > it to OVN community and check whether it could be possible threat. > > Thanks > Duraisankar If they aren't already aware feel free to notify them. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009 This issue has been addressed in the following products: Ironic content for Red Hat OpenShift Container Platform 4.11 Red Hat OpenShift Container Platform 4.11 Via RHSA-2023:6274 https://access.redhat.com/errata/RHSA-2023:6274 |
The service monitor MAC is exposed through the following flow: ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == $svc_monitor_mac", "handle_svc_check(inport);"); This doesn't handle rate limit via CoPP. There is potential to DoS ovn-controller even on deployments with CoPP enabled and configured as all packets with this destination mac within the switch are sent directly to pinctrl thread in ovn-controller.