Bug 2123549 (CVE-2022-28199) - CVE-2022-28199 dpdk: error recovery in mlx5 driver not handled properly, allowing for denial of service
Summary: CVE-2022-28199 dpdk: error recovery in mlx5 driver not handled properly, allo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-28199
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2123136 2123139 2123143 2123145 2123146 2123550 2123552 2123553 2123554 2123555 2123557 2123559 2123615 2123616 2127135
Blocks: 2123551
TreeView+ depends on / blocked
 
Reported: 2022-09-02 00:07 UTC by Sam Fowler
Modified: 2022-12-05 22:37 UTC (History)
23 users (show)

Fixed In Version: dpdk 21.11.2, dpdk 20.11.6, dpdk 19.11.13
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the DPDK package. Affected versions of this package are vulnerable to denial of service (DoS) attacks, affecting system availability.
Clone Of:
Environment:
Last Closed: 2022-12-05 22:37:28 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6502 0 None None None 2022-09-13 18:22:02 UTC
Red Hat Product Errata RHSA-2022:6503 0 None None None 2022-09-13 18:15:17 UTC
Red Hat Product Errata RHSA-2022:6504 0 None None None 2022-09-13 18:22:21 UTC
Red Hat Product Errata RHSA-2022:6505 0 None None None 2022-09-13 18:22:34 UTC
Red Hat Product Errata RHSA-2022:6506 0 None None None 2022-09-13 18:22:57 UTC
Red Hat Product Errata RHSA-2022:8263 0 None None None 2022-11-15 10:46:38 UTC

Description Sam Fowler 2022-09-02 00:07:27 UTC
A vulnerability was fixed in DPDK.  When having a failure with the mlx5 driver, the error recovery was not handled properly, which can allow a remote attacker to cause denial of service and some impact to data integrity and confidentiality.


Commits per branch:
	main  - https://git.dpdk.org/dpdk/commit/?id=60b254e392
	21.11 - https://git.dpdk.org/dpdk-stable/commit/?id=25c01bd323
	20.11 - https://git.dpdk.org/dpdk-stable/commit/?id=ef311075d2
	19.11 - https://git.dpdk.org/dpdk-stable/commit/?id=8b090f2664

LTS Releases:
	21.11 - http://fast.dpdk.org/rel/dpdk-21.11.2.tar.xz
	20.11 - http://fast.dpdk.org/rel/dpdk-20.11.6.tar.xz
	19.11 - http://fast.dpdk.org/rel/dpdk-19.11.13.tar.xz

Comment 1 Sam Fowler 2022-09-02 00:07:50 UTC
Created dpdk tracking bugs for this issue:

Affects: fedora-all [bug 2123550]

Comment 16 errata-xmlrpc 2022-09-13 18:15:14 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2022:6503 https://access.redhat.com/errata/RHSA-2022:6503

Comment 17 errata-xmlrpc 2022-09-13 18:22:00 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2022:6502 https://access.redhat.com/errata/RHSA-2022:6502

Comment 18 errata-xmlrpc 2022-09-13 18:22:17 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2022:6504 https://access.redhat.com/errata/RHSA-2022:6504

Comment 19 errata-xmlrpc 2022-09-13 18:22:31 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2022:6505 https://access.redhat.com/errata/RHSA-2022:6505

Comment 20 errata-xmlrpc 2022-09-13 18:22:54 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2022:6506 https://access.redhat.com/errata/RHSA-2022:6506

Comment 21 Jean-Tsung Hsiao 2022-09-16 14:20:49 UTC
We have done sanity tests against mlx5 CVE fixes using FDP 22.G.2 openvswitch builds. All tests passed. Thus, we have verified this bug.

Below is out test results spreadsheet:
https://docs.google.com/spreadsheets/d/1U9nZRcgzXTd1kLuP2GgTGM2DaaJ-6jlYT2UYvX8Gb9g/edit#gid=398691140

NOTE: There will be separate erratas to verified dpdk 21.11.2, dpdk 20.11.6, dpdk 19.11.13 individually.

Comment 23 errata-xmlrpc 2022-11-15 10:46:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8263 https://access.redhat.com/errata/RHSA-2022:8263

Comment 24 Product Security DevOps Team 2022-12-05 22:37:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-28199


Note You need to log in before you can comment on or make changes to this bug.