Bug 2339537 (CVE-2025-0650)

Summary:	CVE-2025-0650 ovn: egress ACLs may be bypassed via specially crafted UDP packet
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	echaudro, fleitner, ktraynor, rkhan
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2339854, 2339855
Bug Blocks:

Description OSIDB Bzimport 2025-01-22 15:54:41 UTC

Multiple versions of OVN (Open Virtual Network) are vulnerable to allowing crafted UDP packets to bypass egress access control list (ACL) rules. This can result in unauthorized access to virtual machines and containers running on the OVN network.

OVN provides rudimentary DNS caching as an optional feature to speed up lookups of frequently-used domains. When this feature is enabled, due to the OpenFlow rules that OVN installs in Open vSwitch, it is possible for an attacker to craft a UDP packet that can bypass egress ACL rules. Egress ACL rules are those that have the "direction" set to "to-lport".

The OVN installation is vulnerable if a logical switch has DNS records set on it AND if the same switch has any egress ACLs configured on it. The switch is considered to have egress ACLs configured if the switch has an egress ACL configured directly on it using the "acls" column of the logical switch. A switch is also considered to have egress ACLs configured if any of its logical switch ports are part of a port group 
that has egress ACLs configured in its "acls" column.

We recommend that users of OVN apply the linked patches, or upgrade to a known patched version of OVN. These include:

v22.03.8
v24.03.5
v24.09.2

Comment 2 errata-xmlrpc 2025-02-05 15:11:23 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2025:1084 https://access.redhat.com/errata/RHSA-2025:1084

Comment 3 errata-xmlrpc 2025-02-05 15:12:06 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1090 https://access.redhat.com/errata/RHSA-2025:1090

Comment 4 errata-xmlrpc 2025-02-05 15:12:06 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2025:1083 https://access.redhat.com/errata/RHSA-2025:1083

Comment 5 errata-xmlrpc 2025-02-05 15:13:28 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1089 https://access.redhat.com/errata/RHSA-2025:1089

Comment 6 errata-xmlrpc 2025-02-05 15:13:36 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2025:1085 https://access.redhat.com/errata/RHSA-2025:1085

Comment 7 errata-xmlrpc 2025-02-05 15:13:51 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2025:1086 https://access.redhat.com/errata/RHSA-2025:1086

Comment 8 errata-xmlrpc 2025-02-05 15:14:07 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2025:1087 https://access.redhat.com/errata/RHSA-2025:1087

Comment 9 errata-xmlrpc 2025-02-05 15:14:21 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2025:1088 https://access.redhat.com/errata/RHSA-2025:1088

Comment 10 errata-xmlrpc 2025-02-05 15:14:25 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1092 https://access.redhat.com/errata/RHSA-2025:1092

Comment 11 errata-xmlrpc 2025-02-05 15:14:42 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1093 https://access.redhat.com/errata/RHSA-2025:1093

Comment 12 errata-xmlrpc 2025-02-05 15:14:54 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1091 https://access.redhat.com/errata/RHSA-2025:1091

Comment 13 errata-xmlrpc 2025-02-05 15:14:58 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1095 https://access.redhat.com/errata/RHSA-2025:1095

Comment 14 errata-xmlrpc 2025-02-05 15:15:11 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1094 https://access.redhat.com/errata/RHSA-2025:1094

Comment 15 errata-xmlrpc 2025-02-05 15:15:29 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1096 https://access.redhat.com/errata/RHSA-2025:1096

Comment 16 errata-xmlrpc 2025-02-05 15:15:38 UTC

This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2025:1097 https://access.redhat.com/errata/RHSA-2025:1097