Bug 1497966 (CVE-2017-14970)
Summary: | CVE-2017-14970 openvswitch: Multiple memory leaks in lib/ofp-util.c while parsing malformed OpenFlow group mod messages | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aconole, anemec, apevec, atragler, bleanhar, bmcclain, ccoleman, chrisw, dblechte, dedgar, dmcphers, eedri, fleitner, gmollett, jgoulding, jjoyce, jkeck, jpadman, jschluet, juyan, kbasil, kseifried, lhh, lpeer, markmc, mburns, mgoldboi, michal.skrivanek, mmirecki, ovs-team, rbryant, rhos-maint, sclewis, sherold, slinaber, srevivo, tdecacqu, tgraf, tredaelli, ykaul, ylavi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openvswitch 2.8.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-05 22:04:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1497967, 1499033, 1499034 | ||
Bug Blocks: | 1497969 |
Description
Andrej Nemec
2017-10-03 09:06:13 UTC
Created openvswitch tracking bugs for this issue: Affects: fedora-all [bug 1497967] Analysis: Currently when parsing group mod messages, particularly group descriptor messages and those that contain buckets, the buckets will be loaded into memory. If for some reason the parsing fails and the function returns an error the references to the buckets already allocated is lost (memory leak). Openflow being what it is, a standard for managing switches from a centralised control plane it is unlikely that those not already in a significant position to abuse / DoS the service would be able to use these vulnerabilities. As it stands the two memory leaks require failures in the parsing of the group descriptor, to systematically cause this failure and create a denial of service (memory exhaustion etc) would be difficult. Relevant information for others: Ben Pfaff downgraded the severity of this bug: https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339432.html Upstream is applying to have the CVE rejected, which we agree with. After some consideration we are closing it as notabug. https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339435.html Hi Andrej, Do you have the reproducer of this bug? Thanks, Junhan (In reply to Junhan from comment #7) > Hi Andrej, > Do you have the reproducer of this bug? > Thanks, > Junhan Hello Junhan, there is no reproducer as far as I'm aware of. This issue has also been rejected as a security issue. Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details. |