Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors involving large management addresses and TLV boundaries. References: http://www.openwall.com/lists/oss-security/2015/10/16/2 http://www.openwall.com/lists/oss-security/2015/10/30/2 Upstream patch: https://github.com/vincentbernat/lldpd/commit/dd4f16e7e816f2165fba76e3d162cd8d2978dcb2
Flaw summary: The `addr_str_buffer` can be overflowed during a call to `memcpy(value, pos, bytes)`, where `bytes` is passed `addr_str_length` and `value` is passed `addr_str_buffer` if a remote device advertises a management address that is too large. This results in an out-of-bounds write which could lead to denial of service. While it could theoretically lead to code execution in other cases, in Red Hat Enterprise Linux the openvswitch package is built with __FORTIFY_SOURCE enabled which mitigates this[1]. 1. https://access.redhat.com/blogs/766093/posts/3606481
The openvswitch2.13 package was first shipped in OCP from version 4.3. OCP 4.2 and earlier did not ship an openvswitch package. The rhosp-openvswitch package was only shipped in OCP 4.3, which is now out of support scope.
Created openvswitch tracking bugs for this issue: Affects: fedora-all [bug 1899303] Affects: openstack-rdo [bug 1899304] Created rdo-openvswitch tracking bugs for this issue: Affects: openstack-rdo [bug 1899305]
External References: http://www.openwall.com/lists/oss-security/2015/10/16/2 http://www.openwall.com/lists/oss-security/2015/10/30/2
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2020:5611 https://access.redhat.com/errata/RHSA-2020:5611
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-8011
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:5615 https://access.redhat.com/errata/RHSA-2020:5615
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Red Hat Virtualization Engine 4.3 Via RHSA-2021:0028 https://access.redhat.com/errata/RHSA-2021:0028
Mitigation: When the lldpd source is compiled with source fortification enabled, the flaw becomes unexploitable and will just cause a crash.
Statement: The lldpd package as shipped with Red Hat Enterprise Linux 8 is not affected by this flaw because it has already received the patch. The flaw affects versions before 0.8.0 and the shipped version is 1.0.1+. In addition, Red Hat Virtualization 4.3 manager appliance is out of support scope and therefore no fix for it will be delivered.
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2021:0931 https://access.redhat.com/errata/RHSA-2021:0931
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:0988 https://access.redhat.com/errata/RHSA-2021:0988
This issue has been addressed in the following products: Fast Datapath for Red Hat Enterprise Linux 7 Via RHSA-2021:2077 https://access.redhat.com/errata/RHSA-2021:2077
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2021:2205 https://access.redhat.com/errata/RHSA-2021:2205