Bug 1632522 – CVE-2018-17204 openvswitch: Mishandle of group mods in lib/ofp-util.c:parse_group_prop_ntr_selection_method() allows for assertion failure

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1632522 - (CVE-2018-17204) CVE-2018-17204 openvswitch: Mishandle of group mods in lib/ofp-util.c:parse_group_prop_ntr_selection_method() allows for assertion failure

Summary:	CVE-2018-17204 openvswitch: Mishandle of group mods in lib/ofp-util.c:parse_g...

Status:	NEW

Aliases:	CVE-2018-17204

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180925,repor...
Keywords:	Security

Depends On:	1632523 1633063 1633066 1633067 1633068 1633070 1633072 1633147 1633064 1633065
Blocks:	1632524
	Show dependency tree / graph

Reported:	2018-09-24 21:40 EDT by Sam Fowler
Modified:	2018-10-08 17:59 EDT (History)
CC List:	44 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An issue was discovered in Open vSwitch (OvS), 2.4.x through 2.4.1, 2.5.x through 2.5.5, 2.6.x through 2.6.3, 2.7.x through 2.7.6, 2.8.x through 2.8.4, and2.9.x through 2.9.2, affecting the parse_group_prop_ntr_selection_method in lib/ofp-util.c. On controllers with the OpenFlow 1.5 decoder enabled, a specially crafted group update can cause an assertion failure, potentially leading to a Denial of Service condition.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Github	openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde	None	None	None	2018-09-26 22:04 EDT

Groups: None (edit)

Description Sam Fowler 2018-09-24 21:40:57 EDT

An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting parse_group_prop_ntr_selection_method in lib/ofp-util.c. When decoding a group mod, it validates the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tries to use the type and command earlier, when it might still be invalid. This causes an assertion failure (via OVS_NOT_REACHED). ovs-vswitchd does not enable support for OpenFlow 1.5 by default.


Upstream Patch:

https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde

Comment 1 Sam Fowler 2018-09-24 21:42:54 EDT

Created openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 1632523]

Comment 2 James Hebden 2018-09-26 02:52:51 EDT

Slightly adjusted scoring given the need for privileged access to OVS in order to access the interfaces required.

RHOSP14 (OVS 2.6.1):
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP13 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP12 (OVS 2.7.4)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP10 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP9 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 9, seems to inherit from RHOS7 tag)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP8 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 8, seems to inherit from RHOS7 tag)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP7 ELS (Important fixes only, 2.5.0)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

Fast Data Path RHEL-7 (2.9.0)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
openvswitch2.10:
 - CVE-2018-17204 (has been fixed, not vulnerable, code moved to lib/ofp-group.c)

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
aconole
ahardin
apevec
atragler
bleanhar
bmcclain
ccoleman
chrisw
dbaker
dblechte
dedgar
dfediuck
eedri
eparis
fleitner
jgoulding
jhebden
jjoyce
jokerman
jschluet
kbasil
lhh
lpeer
markmc
mburns
mchappel
mgoldboi
michal.skrivanek
mmirecki
ovs-team
rbryant
rhos-maint
sbonazzo
sclewis
sherold
slinaber
srevivo
sthangav
tdecacqu
tgraf
trankin
tredaelli
ylavi