Bug 1632528 (CVE-2018-17206)

Summary: CVE-2018-17206 openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bundle()
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Alan Pevec <apevec>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aconole, ahardin, apevec, atragler, bleanhar, bmcclain, ccoleman, chrisw, ctrautma, dbecker, dblechte, dedgar, dfediuck, eedri, eparis, fleitner, jgoulding, jhsiao, jjoyce, jokerman, jschluet, kbasil, kfida, lhh, lpeer, markmc, mburns, mchappel, mgoldboi, michal.skrivanek, ovs-team, ralongi, rbryant, rhos-maint, rkhan, sbonazzo, sclewis, sherold, slinaber, srevivo, tdecacqu, tgraf, tredaelli, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in Open vSwitch (OvS) 2.5.x through 2.5.5, 2.6.x through 2.6.3, 2.7.x through 2.7.6, 2.8.x through 2.8.4, and 2.9.x through 2.9.2 where the decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding. A specially crafted flow update applied using the bundling feature of Open vSwitch could potentially cause a crash leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:38:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1632529, 1633049, 1633050, 1633051, 1633052, 1633053, 1633054, 1633055, 1633056, 1633057, 1650036, 1651419, 1651420, 1683827, 1688003    
Bug Blocks: 1632524    

Description Sam Fowler 2018-09-25 01:55:35 UTC 
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.


Upstream Patch:

https://nvd.nist.gov/vuln/detail/CVE-2018-17206
Comment 1 Sam Fowler 2018-09-25 01:56:16 UTC 
Created openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 1632529]
Comment 2 James Hebden 2018-09-26 06:32:41 UTC 
I have downgraded the severity after review. This crash would be possible when bundling changes to the OVS flow table, which requires use of the local ovs-vsctl tool by a logged in administrative user, so network and unprivileged didn't quite seem to fit.

I have updated the flaw RHOSP edition impacts after reviewing both RHOSP and FDP releases, including the FDP openvswitch2.10 release.

RHOSP14 (OVS 2.6.1):
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)

RHOSP13 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP12 (OVS 2.7.4)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP10 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP9 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 9, seems to inherit from RHOS7 tag)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c)

RHOSP8 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 8, seems to inherit from RHOS7 tag)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c)

RHOSP7 ELS (Important flaws only for ELS releases, 2.5.0)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c, however not high enough severity to meet criteria for ELS)

Fast Data Path RHEL-7 (2.9.0)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
openvswitch2.10:
 - CVE-2018-17206 (has been fixed, not vulnerable)
Comment 4 James Hebden 2018-09-26 06:47:33 UTC 
Upstream fix: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8
Comment 6 errata-xmlrpc 2018-11-05 14:55:57 UTC 
This issue has been addressed in the following products:

  Fast Datapath for RHEL 7

Via RHSA-2018:3500 https://access.redhat.com/errata/RHSA-2018:3500
Comment 10 Timothy Walsh 2018-11-22 05:32:46 UTC 
OpenShift 3.1 to 3.4 included an openvswitch rpm.

The node container image (https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/node) includes the patch for this flaw and as per OpenShift Container Platform Tested Integrations (https://access.redhat.com/articles/2176281) customers are advised to use the updated node container.
Comment 12 errata-xmlrpc 2019-01-16 17:11:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0053 https://access.redhat.com/errata/RHSA-2019:0053
Comment 13 errata-xmlrpc 2019-01-16 17:52:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0081 https://access.redhat.com/errata/RHSA-2019:0081