Bug 1632522 (CVE-2018-17204) - CVE-2018-17204 openvswitch: Mishandle of group mods in lib/ofp-util.c:parse_group_prop_ntr_selection_method() allows for assertion failure
Summary: CVE-2018-17204 openvswitch: Mishandle of group mods in lib/ofp-util.c:parse_g...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-17204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180925,repor...
Depends On: 1632523 1633063 1633064 1633065 1633066 1633067 1633068 1633070 1633072 1633147 1650038 1651419 1651420 1683550
Blocks: 1632524
TreeView+ depends on / blocked
 
Reported: 2018-09-25 01:40 UTC by Sam Fowler
Modified: 2019-06-11 11:13 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in Open vSwitch (OvS), 2.4.x through 2.4.1, 2.5.x through 2.5.5, 2.6.x through 2.6.3, 2.7.x through 2.7.6, 2.8.x through 2.8.4, and2.9.x through 2.9.2, affecting the parse_group_prop_ntr_selection_method in lib/ofp-util.c. On controllers with the OpenFlow 1.5 decoder enabled, a specially crafted group update can cause an assertion failure, potentially leading to a Denial of Service condition.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:38:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3500 None None None 2018-11-05 14:56:15 UTC
Red Hat Product Errata RHSA-2019:0053 None None None 2019-01-16 17:11:20 UTC
Red Hat Product Errata RHSA-2019:0081 None None None 2019-01-16 17:52:40 UTC
Github openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde None None None 2018-09-27 02:04:59 UTC

Description Sam Fowler 2018-09-25 01:40:57 UTC
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting parse_group_prop_ntr_selection_method in lib/ofp-util.c. When decoding a group mod, it validates the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tries to use the type and command earlier, when it might still be invalid. This causes an assertion failure (via OVS_NOT_REACHED). ovs-vswitchd does not enable support for OpenFlow 1.5 by default.


Upstream Patch:

https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde

Comment 1 Sam Fowler 2018-09-25 01:42:54 UTC
Created openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 1632523]

Comment 2 James Hebden 2018-09-26 06:52:51 UTC
Slightly adjusted scoring given the need for privileged access to OVS in order to access the interfaces required.

RHOSP14 (OVS 2.6.1):
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP13 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP12 (OVS 2.7.4)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP10 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP9 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 9, seems to inherit from RHOS7 tag)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP8 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 8, seems to inherit from RHOS7 tag)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

RHOSP7 ELS (Important fixes only, 2.5.0)
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)

Fast Data Path RHEL-7 (2.9.0)
openvswitch:
 - CVE-2018-17204 (vulnerable code present in parse_group_prop_ntr_selection_method, lib/ofp-util.c, offset)
openvswitch2.10:
 - CVE-2018-17204 (has been fixed, not vulnerable, code moved to lib/ofp-group.c)

Comment 8 errata-xmlrpc 2018-11-05 14:55:56 UTC
This issue has been addressed in the following products:

  Fast Datapath for RHEL 7

Via RHSA-2018:3500 https://access.redhat.com/errata/RHSA-2018:3500

Comment 12 Timothy Walsh 2018-11-22 05:32:54 UTC
OpenShift 3.1 to 3.4 included an openvswitch rpm.

The node container image (https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/node) includes the patch for this flaw and as per OpenShift Container Platform Tested Integrations (https://access.redhat.com/articles/2176281) customers are advised to use the updated node container.

Comment 15 errata-xmlrpc 2019-01-16 17:11:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0053 https://access.redhat.com/errata/RHSA-2019:0053

Comment 16 errata-xmlrpc 2019-01-16 17:52:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0081 https://access.redhat.com/errata/RHSA-2019:0081


Note You need to log in before you can comment on or make changes to this bug.