1295480 – (CVE-2015-1142857) kernel: net: ethernet flow control vulnerability in SRIOV devices

Bug 1295480 (CVE-2015-1142857) - kernel: net: ethernet flow control vulnerability in SRIOV devices

Summary: kernel: net: ethernet flow control vulnerability in SRIOV devices

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2015-1142857
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1295482
Blocks:	1288501
TreeView+	depends on / blocked

Reported:	2016-01-04 16:04 UTC by Vladis Dronov
Modified:	2021-02-17 04:34 UTC (History)
CC List:	51 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-07-07 14:44:10 UTC
Embargoed:

Attachments	(Terms of Use)
oss-sec.CVE.request-Ethernet.flow.control.vulnerability.in.SRIOV.devices.html (12.97 KB, text/html) 2016-07-07 14:30 UTC, Vladis Dronov	no flags	Details
View All

Description Vladis Dronov 2016-01-04 16:04:09 UTC

A design flaw found in the current Ethernet SRIOV NIC deployments that enables untrusted malicious virtual machines to completely control the network throughput and the latency of other unrelated VMs. The attack exploits Ethernet "pause" control frames, which enable network flow  control functionality.

Initial disclosure:

http://seclists.org/oss-sec/2015/q4/425

Comment 1 Vladis Dronov 2016-01-04 16:17:31 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1295482]

Comment 3 Vladis Dronov 2016-07-07 14:30:35 UTC

Created attachment 1177348 [details]
oss-sec.CVE.request-Ethernet.flow.control.vulnerability.in.SRIOV.devices.html

Comment 4 Vladis Dronov 2016-07-07 14:40:51 UTC

Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG-2. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 5 Marcus Meissner 2018-01-24 07:28:05 UTC

is this cve for real ? it does not look in scope

Comment 6 Adam Mariš 2018-01-24 09:37:50 UTC

(In reply to Marcus Meissner from comment #5)
> is this cve for real ? it does not look in scope

Yes, it's in DWF scope.

Note You need to log in before you can comment on or make changes to this bug.

agordeev
apevec
aquini
arm-mgr
bhu
carnil
chrisw
dhoward
esammons
fhrbata
gansalmon
gmollett
iboverma
itamar
jen
jforbes
jjoyce
jkacur
joelsmith
jonathan
jross
jschluet
jwboyer
kbasil
kernel-maint
kernel-mgr
kstutsma
lgoncalv
lhh
lpeer
lwang
madhu.chinakonda
markmc
matt
mburns
mchehab
mcressma
meissner
mguzik
nmurray
nyechiel
ovs-team
pholasek
plougher
rbryant
rt-maint
rvrbovsk
sclewis
slinaber
tdecacqu
williams