Bug 1632528 (CVE-2018-17206) - CVE-2018-17206 openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bundle()
Summary: CVE-2018-17206 openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bund...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-17206
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Alan Pevec
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180925,repor...
Depends On: 1632529 1633049 1633050 1633051 1633052 1633053 1633054 1633055 1633056 1633057 1650036 1651419 1651420 1683827 1688003
Blocks: 1632524
TreeView+ depends on / blocked
 
Reported: 2018-09-25 01:55 UTC by Sam Fowler
Modified: 2019-06-11 11:13 UTC (History)
43 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in Open vSwitch (OvS) 2.5.x through 2.5.5, 2.6.x through 2.6.3, 2.7.x through 2.7.6, 2.8.x through 2.8.4, and 2.9.x through 2.9.2 where the decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding. A specially crafted flow update applied using the bundling feature of Open vSwitch could potentially cause a crash leading to a denial of service.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:38:38 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3500 None None None 2018-11-05 14:56:16 UTC
Red Hat Product Errata RHSA-2019:0053 None None None 2019-01-16 17:11:28 UTC
Red Hat Product Errata RHSA-2019:0081 None None None 2019-01-16 17:52:42 UTC
Github openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 None None None 2018-09-27 02:25:15 UTC

Description Sam Fowler 2018-09-25 01:55:35 UTC
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.


Upstream Patch:

https://nvd.nist.gov/vuln/detail/CVE-2018-17206

Comment 1 Sam Fowler 2018-09-25 01:56:16 UTC
Created openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 1632529]

Comment 2 James Hebden 2018-09-26 06:32:41 UTC
I have downgraded the severity after review. This crash would be possible when bundling changes to the OVS flow table, which requires use of the local ovs-vsctl tool by a logged in administrative user, so network and unprivileged didn't quite seem to fit.

I have updated the flaw RHOSP edition impacts after reviewing both RHOSP and FDP releases, including the FDP openvswitch2.10 release.

RHOSP14 (OVS 2.6.1):
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)

RHOSP13 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP12 (OVS 2.7.4)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP10 (OVS 2.6.1)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
 - Commonly uses FDP version (2.9.0)

RHOSP9 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 9, seems to inherit from RHOS7 tag)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c)

RHOSP8 (OVS not packaged?)
openvswitch:
 - Repo contains 2.5.0 (Installable after running rhos-release 8, seems to inherit from RHOS7 tag)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c)

RHOSP7 ELS (Important flaws only for ELS releases, 2.5.0)
 - CVE-2018-17206 (vulnerable code present in decode_bundle, in lib/ofp-actions.c, however not high enough severity to meet criteria for ELS)

Fast Data Path RHEL-7 (2.9.0)
openvswitch:
 - CVE-2018-17206 (vulnerable code present in decode_bundle, lib/ofp-actions.c, offset)
openvswitch2.10:
 - CVE-2018-17206 (has been fixed, not vulnerable)

Comment 6 errata-xmlrpc 2018-11-05 14:55:57 UTC
This issue has been addressed in the following products:

  Fast Datapath for RHEL 7

Via RHSA-2018:3500 https://access.redhat.com/errata/RHSA-2018:3500

Comment 10 Timothy Walsh 2018-11-22 05:32:46 UTC
OpenShift 3.1 to 3.4 included an openvswitch rpm.

The node container image (https://access.redhat.com/containers/#/registry.access.redhat.com/openshift3/node) includes the patch for this flaw and as per OpenShift Container Platform Tested Integrations (https://access.redhat.com/articles/2176281) customers are advised to use the updated node container.

Comment 12 errata-xmlrpc 2019-01-16 17:11:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0053 https://access.redhat.com/errata/RHSA-2019:0053

Comment 13 errata-xmlrpc 2019-01-16 17:52:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:0081 https://access.redhat.com/errata/RHSA-2019:0081


Note You need to log in before you can comment on or make changes to this bug.