Bug 2213279 (CVE-2023-3153) - CVE-2023-3153 ovn: service monitor MAC flow is not rate limited
Summary: CVE-2023-3153 ovn: service monitor MAC flow is not rate limited
Keywords:
Status: NEW
Alias: CVE-2023-3153
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2211021 2213285 2213286 2213287 2213288 2213289 2213290 2213291 2213292 2213293 2213294 2213295 2213296 2213297 2213298 2213299 2213300
Blocks: 2211082
TreeView+ depends on / blocked
 
Reported: 2023-06-07 17:46 UTC by Anten Skrabec
Modified: 2023-11-08 11:05 UTC (History)
20 users (show)

Fixed In Version: ovn 22.03.3, ovn 22.09.2, ovn 22.12.1, ovn 23.03.1, ovn 23.06.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5009 0 None None None 2023-10-31 14:02:05 UTC
Red Hat Product Errata RHSA-2023:6274 0 None None None 2023-11-08 11:05:15 UTC

Description Anten Skrabec 2023-06-07 17:46:51 UTC 
The service monitor MAC is exposed through the following flow:
ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110,
              "eth.dst == $svc_monitor_mac",
              "handle_svc_check(inport);");

This doesn't handle rate limit via CoPP. There is potential to
DoS ovn-controller even on deployments with CoPP enabled and configured
as all packets with this destination mac within the switch are sent directly to pinctrl thread in ovn-controller.
Comment 1 Anten Skrabec 2023-06-07 18:04:22 UTC 
Created ovn tracking bugs for this issue:

Affects: fedora-all [bug 2213285]
Comment 5 Salvatore Bonaccorso 2023-06-13 20:50:37 UTC 
Is there any further public information on this issue? Is it reported upstream at https://github.com/ovn-org/ovn and/or does a upstream fix exists? 

I'm trying to get more information on CVE-2023-3153 for our tracking downstream in Debian about it.
Comment 6 Anten Skrabec 2023-06-14 17:29:41 UTC 
In reply to comment #5:
> Is there any further public information on this issue? Is it reported
> upstream at https://github.com/ovn-org/ovn and/or does a upstream fix
> exists? 
> 
> I'm trying to get more information on CVE-2023-3153 for our tracking
> downstream in Debian about it.

Hey there, there isn't much more information at this time. I'll update this bug with more information as it becomes available.
Comment 7 Duraisankar P 2023-07-03 16:34:07 UTC 
Hello team, 

Is this issue a valid one ?  we could not see any bugs filed on https://github.com/ovn-org/ovn. 

Can you update more information on this issue ?

IMO, if there isn't much information at this time, we can proceed to report it to OVN community and check whether it could be possible threat. 

Thanks
Duraisankar
Comment 8 Anten Skrabec 2023-07-03 17:48:43 UTC 
In reply to comment #7:
> Hello team, 
> 
> Is this issue a valid one ?  we could not see any bugs filed on
> https://github.com/ovn-org/ovn. 
> 
> Can you update more information on this issue ?
> 
> IMO, if there isn't much information at this time, we can proceed to report
> it to OVN community and check whether it could be possible threat. 
> 
> Thanks
> Duraisankar

If they aren't already aware feel free to notify them.
Comment 12 errata-xmlrpc 2023-10-31 14:02:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009
Comment 13 errata-xmlrpc 2023-11-08 11:05:13 UTC 
This issue has been addressed in the following products:

  Ironic content for Red Hat OpenShift Container Platform 4.11
  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:6274 https://access.redhat.com/errata/RHSA-2023:6274
Note You need to log in before you can comment on or make changes to this bug.