Bug 1497966 (CVE-2017-14970) - CVE-2017-14970 openvswitch: Multiple memory leaks in lib/ofp-util.c while parsing malformed OpenFlow group mod messages
Summary: CVE-2017-14970 openvswitch: Multiple memory leaks in lib/ofp-util.c while par...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-14970
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1497967 1499033 1499034
Blocks: 1497969
TreeView+ depends on / blocked
 
Reported: 2017-10-03 09:06 UTC by Andrej Nemec
Modified: 2020-02-11 00:30 UTC (History)
41 users (show)

Fixed In Version: openvswitch 2.8.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-05 22:04:51 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-10-03 09:06:13 UTC
In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. An attacker can use this for a Denial of Service.

Upstream fixes:

https://github.com/openvswitch/ovs/commit/77ad4225d125030420d897c873e4734ac708c66b
https://github.com/openvswitch/ovs/commit/f673f4059717dc9d2d6dd2d4db52be1149a996dd

Comment 1 Andrej Nemec 2017-10-03 09:07:02 UTC
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 1497967]

Comment 2 Joshua Padman 2017-10-05 04:28:55 UTC
Analysis: Currently when parsing group mod messages, particularly group descriptor messages and those that contain buckets, the buckets will be loaded into memory. If for some reason the parsing fails and the function returns an error the references to the buckets already allocated is lost (memory leak).
Openflow being what it is, a standard for managing switches from a centralised control plane it is unlikely that those not already in a significant position to abuse / DoS the service would be able to use these vulnerabilities. As it stands the two memory leaks require failures in the parsing of the group descriptor, to systematically cause this failure and create a denial of service (memory exhaustion etc) would be difficult.

Comment 5 Joshua Padman 2017-10-05 21:33:26 UTC
Relevant information for others:

Ben Pfaff downgraded the severity of this bug: https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339432.html

Comment 6 Joshua Padman 2017-10-05 22:04:51 UTC
Upstream is applying to have the CVE rejected, which we agree with. After some consideration we are closing it as notabug.
https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339435.html

Comment 7 Junhan 2017-10-25 09:26:38 UTC
Hi Andrej,
Do you have the reproducer of this bug?
Thanks,
Junhan

Comment 8 Andrej Nemec 2017-10-25 15:22:38 UTC
(In reply to Junhan from comment #7)
> Hi Andrej,
> Do you have the reproducer of this bug?
> Thanks,
> Junhan

Hello Junhan, there is no reproducer as far as I'm aware of. This issue has also been rejected as a security issue.

Comment 9 Doran Moppert 2020-02-11 00:30:11 UTC
Statement:

Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details.


Note You need to log in before you can comment on or make changes to this bug.