Bug 1632522 (CVE-2018-17204)

Summary: CVE-2018-17204 openvswitch: Mishandle of group mods in lib/ofp-util.c:parse_group_prop_ntr_selection_method() allows for assertion failure
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aconole, ahardin, apevec, atragler, bleanhar, bmcclain, ccoleman, chrisw, ctrautma, dbecker, dblechte, dedgar, dfediuck, eedri, eparis, fleitner, jgoulding, jhsiao, jjoyce, jokerman, jschluet, kbasil, kfida, lhh, lpeer, markmc, mburns, mchappel, mgoldboi, michal.skrivanek, ovs-team, ralongi, rbryant, rhos-maint, rkhan, sbonazzo, sclewis, sherold, slinaber, srevivo, tdecacqu, tgraf, tredaelli, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in Open vSwitch (OvS), 2.4.x through 2.4.1, 2.5.x through 2.5.5, 2.6.x through 2.6.3, 2.7.x through 2.7.6, 2.8.x through 2.8.4, and2.9.x through 2.9.2, affecting the parse_group_prop_ntr_selection_method in lib/ofp-util.c. On controllers with the OpenFlow 1.5 decoder enabled, a specially crafted group update can cause an assertion failure, potentially leading to a Denial of Service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:38:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1632523, 1633063, 1633064, 1633065, 1633066, 1633067, 1633068, 1633070, 1633072, 1633147, 1650038, 1651419, 1651420, 1683550    
Bug Blocks: 1632524    

Description Sam Fowler 2018-09-25 01:40:57 UTC 
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting parse_group_prop_ntr_selection_method in lib/ofp-util.c. When decoding a group mod, it validates the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tries to use the type and command earlier, when it might still be invalid. This causes an assertion failure (via OVS_NOT_REACHED). ovs-vswitchd does not enable support for OpenFlow 1.5 by default.


Upstream Patch:

https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde
Comment 1 Sam Fowler 2018-09-25 01:42:54 UTC 
Created openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 1632523]
Comment 2 James Hebden 2018-09-26 06:52:51 UTC 
Slightly adjusted scoring given the need for privileged access to OVS in order to access the interfaces required.

RHOSP14 (OVS 2.6.1):
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP13 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP12 (OVS 2.7.4)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP10 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP9 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 9, seems to inherit from RHOS7 tag)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP8 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 8, seems to inherit from RHOS7 tag)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP7 ELS (Important fixes only, 2.5.0)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

Fast Data Path RHEL-7 (2.9.0)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
openvswitch2.10:
 - CVE-2018-17204 (has been fixed, not vulnerable, code moved to lib/ofp-group.c)
Comment 8 errata-xmlrpc 2018-11-05 14:55:56 UTC 
This issue has been addressed in the following products:

  Fast Datapath for RHEL 7

Via RHSA-2018:3500 https://access.redhat.com/errata/RHSA-2018:3500
Comment 12 Timothy Walsh 2018-11-22 05:32:54 UTC 
OpenShift 3.1 to 3.4 included an openvswitch rpm.

The node container image (https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/node) includes the patch for this flaw and as per OpenShift Container Platform Tested Integrations (https://access.redhat.com/articles/2176281) customers are advised to use the updated node container.
Comment 15 errata-xmlrpc 2019-01-16 17:11:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0053 https://access.redhat.com/errata/RHSA-2019:0053
Comment 16 errata-xmlrpc 2019-01-16 17:52:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0081 https://access.redhat.com/errata/RHSA-2019:0081