Bug 1497966 (CVE-2017-14970)

Summary: CVE-2017-14970 openvswitch: Multiple memory leaks in lib/ofp-util.c while parsing malformed OpenFlow group mod messages
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aconole, anemec, apevec, atragler, bleanhar, bmcclain, ccoleman, chrisw, dblechte, dedgar, dmcphers, eedri, fleitner, gmollett, jgoulding, jjoyce, jkeck, jpadman, jschluet, juyan, kbasil, kseifried, lhh, lpeer, markmc, mburns, mgoldboi, michal.skrivanek, mmirecki, ovs-team, rbryant, rhos-maint, sclewis, sherold, slinaber, srevivo, tdecacqu, tgraf, tredaelli, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openvswitch 2.8.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-05 22:04:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1497967, 1499033, 1499034    
Bug Blocks: 1497969    

Description Andrej Nemec 2017-10-03 09:06:13 UTC 
In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. An attacker can use this for a Denial of Service.

Upstream fixes:

https://github.com/openvswitch/ovs/commit/77ad4225d125030420d897c873e4734ac708c66b
https://github.com/openvswitch/ovs/commit/f673f4059717dc9d2d6dd2d4db52be1149a996dd
Comment 1 Andrej Nemec 2017-10-03 09:07:02 UTC 
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 1497967]
Comment 2 Joshua Padman 2017-10-05 04:28:55 UTC 
Analysis: Currently when parsing group mod messages, particularly group descriptor messages and those that contain buckets, the buckets will be loaded into memory. If for some reason the parsing fails and the function returns an error the references to the buckets already allocated is lost (memory leak).
Openflow being what it is, a standard for managing switches from a centralised control plane it is unlikely that those not already in a significant position to abuse / DoS the service would be able to use these vulnerabilities. As it stands the two memory leaks require failures in the parsing of the group descriptor, to systematically cause this failure and create a denial of service (memory exhaustion etc) would be difficult.
Comment 5 Joshua Padman 2017-10-05 21:33:26 UTC 
Relevant information for others:

Ben Pfaff downgraded the severity of this bug: https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339432.html
Comment 6 Joshua Padman 2017-10-05 22:04:51 UTC 
Upstream is applying to have the CVE rejected, which we agree with. After some consideration we are closing it as notabug.
https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339435.html
Comment 7 Junhan 2017-10-25 09:26:38 UTC 
Hi Andrej,
Do you have the reproducer of this bug?
Thanks,
Junhan
Comment 8 Andrej Nemec 2017-10-25 15:22:38 UTC 
(In reply to Junhan from comment #7)
> Hi Andrej,
> Do you have the reproducer of this bug?
> Thanks,
> Junhan

Hello Junhan, there is no reproducer as far as I'm aware of. This issue has also been rejected as a security issue.
Comment 9 Doran Moppert 2020-02-11 00:30:11 UTC 
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.