Bug 2137666 (CVE-2023-1668) - CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling
Summary: CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-1668
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2169004 2169005 2182822 2182823 2182824 2182825 2182826 2182827 2182828 2182829 2182830 2182831 2182832 2182833 2182834 2186245 2186246 2186247 2188027 2210714
Blocks: 2135070
TreeView+ depends on / blocked
 
Reported: 2022-10-25 18:55 UTC by Anten Skrabec
Modified: 2024-04-20 17:04 UTC (History)
35 users (show)

Fixed In Version: ovs 3.1.1, ovs 3.0.4, ovs 2.17.6, ovs 2.16.7, ovs 2.15.8, ovs 2.14.9, ovs 2.13.11
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Clone Of:
Environment:
Last Closed: 2023-04-18 19:36:52 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1765 0 None None None 2023-04-13 09:04:56 UTC
Red Hat Product Errata RHSA-2023:1766 0 None None None 2023-04-13 09:04:36 UTC
Red Hat Product Errata RHSA-2023:1769 0 None None None 2023-04-13 09:04:49 UTC
Red Hat Product Errata RHSA-2023:1770 0 None None None 2023-04-13 09:05:21 UTC
Red Hat Product Errata RHSA-2023:1823 0 None None None 2023-04-18 14:07:27 UTC
Red Hat Product Errata RHSA-2023:1824 0 None None None 2023-04-18 14:07:31 UTC
Red Hat Product Errata RHSA-2023:3491 0 None None None 2023-06-06 14:11:50 UTC

Description Anten Skrabec 2022-10-25 18:55:24 UTC
When processing a IP packet with protocol 0, OVS will install datapath flow without action modifying ip header.

This results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wilcarded) for this flow but with an incorrect action.
This may result in incorrect handling of other IP packets with a != 0 IP protocol that match this dp flow.
Such a mishandling might be triggered/exploited remotely.

Comment 2 Martin Perina 2023-03-29 07:31:12 UTC
Is openvswitch 2.15 on EL8 used by RHV 4.4 SP1 also affected?

Comment 6 Pedro Sampaio 2023-04-06 20:45:45 UTC
Public:

https://www.openwall.com/lists/oss-security/2023/04/06/1

Comment 8 Patrick Del Bello 2023-04-12 14:28:23 UTC
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 2186245]


Created ovn tracking bugs for this issue:

Affects: fedora-all [bug 2186246]


Created rdo-openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 2186247]

Comment 9 errata-xmlrpc 2023-04-13 09:04:34 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1766 https://access.redhat.com/errata/RHSA-2023:1766

Comment 10 errata-xmlrpc 2023-04-13 09:04:47 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2023:1769 https://access.redhat.com/errata/RHSA-2023:1769

Comment 11 errata-xmlrpc 2023-04-13 09:04:53 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1765 https://access.redhat.com/errata/RHSA-2023:1765

Comment 12 errata-xmlrpc 2023-04-13 09:05:19 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2023:1770 https://access.redhat.com/errata/RHSA-2023:1770

Comment 15 errata-xmlrpc 2023-04-18 14:07:25 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1823 https://access.redhat.com/errata/RHSA-2023:1823

Comment 16 errata-xmlrpc 2023-04-18 14:07:26 UTC
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1824 https://access.redhat.com/errata/RHSA-2023:1824

Comment 17 Product Security DevOps Team 2023-04-18 19:36:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1668

Comment 20 errata-xmlrpc 2023-06-06 14:11:47 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:3491 https://access.redhat.com/errata/RHSA-2023:3491


Note You need to log in before you can comment on or make changes to this bug.