Bug 1921438 (CVE-2020-27827)

Summary: CVE-2020-27827 lldp/openvswitch: denial of service via externally triggered memory leak
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aconole, apevec, bmontgom, chrisw, ctrautma, dbecker, dblechte, dfediuck, dramseur, eedri, eparis, fleitner, james.hogarth, jburrell, jhsiao, jhunter, jjoyce, jminter, jokerman, jschluet, kmitts, lhh, lpeer, mburns, mgala, mgoldboi, michal.skrivanek, mjudeiki, nlevy, nstielau, ovs-team, ralongi, rhos-maint, rkhan, sbonazzo, sclewis, sherold, slinaber, sponnaga, srevivo, tgraf, tredaelli, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: lldpd 1.0.8, openvswitch 2.14.1, openvswitch 2.13.2, openvswitch 2.12.2, openvswitch 2.11.5, openvswitch 2.10.6, openvswitch 2.9.8, openvswitch 2.8.10, openvswitch 2.7.12, openvswitch 2.6.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in multiple versions of Open vSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-11 16:10:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1921442, 1921439, 1921440, 1921441, 1922068, 1922069, 1922070, 1922439, 1922440, 1923221, 1923222, 1923223, 1923224, 1923225, 1923226, 1923227, 1923228, 1923229, 1924956    
Bug Blocks: 1921443, 1939725    

Description Pedro Sampaio 2021-01-28 02:00:58 UTC 
Multiple versions of Open vSwitch are vulnerable to denial of service
attacks in which crafted LLDP packets could cause memory to be lost
when allocating data to handle specific optional TLVs.  Triggering the
vulnerability requires LLDP processing to be enabled for a specific
port.  Open vSwitch versions before 2.5.x are not vulnerable.

References:

https://mail.openvswitch.org/pipermail/ovs-dev/2021-January/379471.html
https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61
Comment 1 Pedro Sampaio 2021-01-28 02:02:03 UTC 
Created lldpd tracking bugs for this issue:

Affects: epel-7 [bug 1921442]
Affects: fedora-all [bug 1921441]


Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 1921440]
Affects: openstack-rdo [bug 1921439]
Comment 4 Mauro Matteo Cascella 2021-01-29 17:51:30 UTC 
Open vSwitch pull request:
https://github.com/openvswitch/ovs/pull/337

Open vSwitch fix:
https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0
Comment 8 Anten Skrabec 2021-02-09 22:16:21 UTC 
Statement:

Red Hat OpenStack Platform 13's openvswitch package will receive it's fixes from Fast Datapath.
Comment 9 Anten Skrabec 2021-02-09 22:16:45 UTC 
External References:

https://mail.openvswitch.org/pipermail/ovs-dev/2021-January/379471.html
Comment 11 errata-xmlrpc 2021-02-11 14:52:13 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2021:0497 https://access.redhat.com/errata/RHSA-2021:0497
Comment 12 Product Security DevOps Team 2021-02-11 16:10:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27827
Comment 13 errata-xmlrpc 2021-03-15 14:33:31 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2021:0837 https://access.redhat.com/errata/RHSA-2021:0837
Comment 14 errata-xmlrpc 2021-03-15 14:35:08 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2021:0834 https://access.redhat.com/errata/RHSA-2021:0834
Comment 15 errata-xmlrpc 2021-03-15 14:35:38 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2021:0835 https://access.redhat.com/errata/RHSA-2021:0835
Comment 16 errata-xmlrpc 2021-03-23 18:51:43 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:0976 https://access.redhat.com/errata/RHSA-2021:0976
Comment 17 errata-xmlrpc 2021-03-31 12:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:1050 https://access.redhat.com/errata/RHSA-2021:1050
Comment 18 errata-xmlrpc 2021-03-31 12:57:39 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2021:1051 https://access.redhat.com/errata/RHSA-2021:1051
Comment 19 errata-xmlrpc 2021-05-20 19:30:12 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 7

Via RHSA-2021:2077 https://access.redhat.com/errata/RHSA-2021:2077
Comment 20 errata-xmlrpc 2021-06-16 10:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2021:2456 https://access.redhat.com/errata/RHSA-2021:2456