Bug 1800704

Summary: Open vulnerability found CVE-2019-14818 for package openvswitch2.11-2.11.0-9.el7fdp
Product: Red Hat Enterprise Virtualization Manager Reporter: hhaberma
Component: openvswitchAssignee: Dominik Holler <dholler>
Status: CLOSED ERRATA QA Contact: Michael Burman <mburman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.7CC: amarchuk, aoconnor, asrodrig, dfodor, dholler, dmoppert, lsvaty, michal.skrivanek, mkalinin, nlevy, pbrilla, pelauter
Target Milestone: ovirt-4.3.9   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-14 16:02:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description hhaberma 2020-02-07 18:21:33 UTC 
Description of problem:

Customer had a recent security scan reported openvswitch2.11 as having an open vulnerability because the package installed is openvswitch2.11-2.11.0-9.el7fdp and it should be openvswitch2.11-2.11.0-35.el7fdp. 

ACAS report.

Plugin: 133127
Plugin Name: RHEL 7 : openvswitch2.11 (RHSA-2020:0166)

Plugin Output: 
Remote package installed : openvswitch2.11-2.11.0-9.el7fdp
Should be                : openvswitch2.11-2.11.0-35.el7fdp
Remote package installed : python-openvswitch2.11-2.11.0-9.el7fdp
Should be                : python-openvswitch2.11-2.11.0-35.el7fdp

NOTE: The vulnerability information above was derived by checking the
package versions of the affected packages from this advisory. This
scan is unable to rely on Red Hat's own security checks, which
consider channels and products in their vulnerability determinations.

Description:

An update for openvswitch2.11 is now available for Fast Datapath for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.
Security Fix(es) :
* dpdk: possible memory leak leads to denial of service (CVE-2019-14818)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es) :
* [openvswitch] No traffic over GRE IPv6 tunnel - OVS issue (userspace) (BZ# 1725623)
* [RHEL 7] [ovsdb-server] Allow replicating from older schema servers (BZ# 1766586)
* measure the time needed by ovn-controller to resync to a new SB db (BZ# 1776883)
* [ovs2.11] SSL connections drops are constantly logged in ovsdb-server-nb.log (BZ#1780745)


Will this package openvswitch2.11-2.11.0-35.el7fdp be available in 4.3.8?? And is there a method to workaround the issue at the current 4.3.7 or do they have to wait for upgrade?
Comment 2 Dominik Holler 2020-02-25 08:56:45 UTC 
rhv-4.3.8 should contain ovn2.11-2.11.1-24.el7fdp.x86_64
Comment 4 Lukas Svaty 2020-02-26 08:43:12 UTC 
Hi Dominik,

1. QE does not touch production channels, we measure quality on candidate releases, thus only RCM can get you this info.
2. long time ago we found out this is not sufficient as we need to check RCM, thus Pavol Brilla, you're looking for Pavol
Comment 15 Dominik Holler 2020-03-04 20:16:05 UTC 
For verification we should ensure that FDP 20.B is included in RHVH, hosted engine appliance, bare metal engine and RHEL host.
Comment 17 Michael Burman 2020-03-18 16:08:03 UTC 
Finally, the correct versions has been shipped with 4.3.7-9 tag build, RHEL engine and baremetal hosts shipped correctly now.

Verified on and with:
rhvm-4.3.9.3-0.1.el7.noarch
ovn2.11-2.11.1-33.el7fdp.x86_64
ovn2.11-central-2.11.1-33.el7fdp.x86_64
python-openvswitch2.11-2.11.0-48.el7fdp.x86_64
openvswitch2.11-2.11.0-48.el7fdp.x86_64
ovirt-provider-ovn-driver-1.2.29-1.el7ev.noarch

ovn2.11-host-2.11.1-33.el7fdp.x86_64
ovn2.11-2.11.1-33.el7fdp.x86_64
openvswitch2.11-2.11.0-48.el7fdp.x86_64
vdsm-4.30.43-1.el7ev.x86_64
Comment 18 Michael Burman 2020-03-18 16:17:08 UTC 
Correction to the RHV engine version build, verified with rhvm-4.3.9.4-11.el7.noarch
Comment 20 Marina Kalinin 2020-05-01 20:46:51 UTC 
Anton - has this been shipped or not? Can this bug be closed errata?
Comment 21 Red Hat Bugzilla 2023-09-14 05:52:07 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days