Bug 1632528 – CVE-2018-17206 openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bundle()

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1632528 - (CVE-2018-17206) CVE-2018-17206 openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bundle()

Summary:	CVE-2018-17206 openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bund...

Status:	NEW

Aliases:	CVE-2018-17206

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180925,repor...
Keywords:	Security

Depends On:	1632529 1633049 1633052 1633053 1633054 1633055 1633056 1633057 1633050 1633051
Blocks:	1632524
	Show dependency tree / graph

Reported:	2018-09-24 21:55 EDT by Sam Fowler
Modified:	2018-10-08 17:59 EDT (History)
CC List:	44 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An issue was discovered in Open vSwitch (OvS) 2.5.x through 2.5.5, 2.6.x through 2.6.3, 2.7.x through 2.7.6, 2.8.x through 2.8.4, and 2.9.x through 2.9.2 where the decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding. A specially crafted flow update applied using the bundling feature of Open vSwitch could potentially cause a crash leading to a denial of service.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Github	openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8	None	None	None	2018-09-26 22:25 EDT

Groups: None (edit)

Description Sam Fowler 2018-09-24 21:55:35 EDT

An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.


Upstream Patch:

https://nvd.nist.gov/vuln/detail/CVE-2018-17206

Comment 1 Sam Fowler 2018-09-24 21:56:16 EDT

Created openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 1632529]

Comment 2 James Hebden 2018-09-26 02:32:41 EDT

I have downgraded the severity after review. This crash would be possible when bundling changes to the OVS flow table, which requires use of the local ovs-vsctl tool by a logged in administrative user, so network and unprivileged didn't quite seem to fit.

I have updated the flaw RHOSP edition impacts after reviewing both RHOSP and FDP releases, including the FDP openvswitch2.10 release.

RHOSP14 (OVS 2.6.1):
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)

RHOSP13 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP12 (OVS 2.7.4)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP10 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP9 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 9, seems to inherit from RHOS7 tag)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c)

RHOSP8 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 8, seems to inherit from RHOS7 tag)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c)

RHOSP7 ELS (Important flaws only for ELS releases, 2.5.0)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c, however not high enough severity to meet criteria for ELS)

Fast Data Path RHEL-7 (2.9.0)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
openvswitch2.10:
 - CVE-2018-17206 (has been fixed, not vulnerable)

Comment 4 James Hebden 2018-09-26 02:47:33 EDT

Upstream fix: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
aconole
ahardin
apevec
atragler
bleanhar
bmcclain
ccoleman
chrisw
dbaker
dblechte
dedgar
dfediuck
eedri
eparis
fleitner
jgoulding
jhebden
jjoyce
jokerman
jschluet
kbasil
lhh
lpeer
markmc
mburns
mchappel
mgoldboi
michal.skrivanek
mmirecki
ovs-team
rbryant
rhos-maint
sbonazzo
sclewis
sherold
slinaber
srevivo
sthangav
tdecacqu
tgraf
trankin
tredaelli
ylavi