Bug 2137666 (CVE-2023-1668) - CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling
Summary: CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-1668
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2169004 2169005 2182822 2182823 2182824 2182825 2182826 2182827 2182828 2182829 2182830 2182831 2182832 2182833 2182834 2186245 2186246 2186247 2188027 2210714
Blocks: 2135070
TreeView+ depends on / blocked
 
Reported: 2022-10-25 18:55 UTC by Anten Skrabec
Modified: 2024-04-20 17:04 UTC (History)
35 users (show)

Fixed In Version: ovs 3.1.1, ovs 3.0.4, ovs 2.17.6, ovs 2.16.7, ovs 2.15.8, ovs 2.14.9, ovs 2.13.11
Clone Of:
Environment:
Last Closed: 2023-04-18 19:36:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1765 0 None None None 2023-04-13 09:04:56 UTC
Red Hat Product Errata RHSA-2023:1766 0 None None None 2023-04-13 09:04:36 UTC
Red Hat Product Errata RHSA-2023:1769 0 None None None 2023-04-13 09:04:49 UTC
Red Hat Product Errata RHSA-2023:1770 0 None None None 2023-04-13 09:05:21 UTC
Red Hat Product Errata RHSA-2023:1823 0 None None None 2023-04-18 14:07:27 UTC
Red Hat Product Errata RHSA-2023:1824 0 None None None 2023-04-18 14:07:31 UTC
Red Hat Product Errata RHSA-2023:3491 0 None None None 2023-06-06 14:11:50 UTC

Description Anten Skrabec 2022-10-25 18:55:24 UTC 
When processing a IP packet with protocol 0, OVS will install datapath flow without action modifying ip header.

This results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wilcarded) for this flow but with an incorrect action.
This may result in incorrect handling of other IP packets with a != 0 IP protocol that match this dp flow.
Such a mishandling might be triggered/exploited remotely.
Comment 2 Martin Perina 2023-03-29 07:31:12 UTC 
Is openvswitch 2.15 on EL8 used by RHV 4.4 SP1 also affected?
Comment 6 Pedro Sampaio 2023-04-06 20:45:45 UTC 
Public:

https://www.openwall.com/lists/oss-security/2023/04/06/1
Comment 8 Patrick Del Bello 2023-04-12 14:28:23 UTC 
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 2186245]


Created ovn tracking bugs for this issue:

Affects: fedora-all [bug 2186246]


Created rdo-openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 2186247]
Comment 9 errata-xmlrpc 2023-04-13 09:04:34 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1766 https://access.redhat.com/errata/RHSA-2023:1766
Comment 10 errata-xmlrpc 2023-04-13 09:04:47 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2023:1769 https://access.redhat.com/errata/RHSA-2023:1769
Comment 11 errata-xmlrpc 2023-04-13 09:04:53 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1765 https://access.redhat.com/errata/RHSA-2023:1765
Comment 12 errata-xmlrpc 2023-04-13 09:05:19 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2023:1770 https://access.redhat.com/errata/RHSA-2023:1770
Comment 15 errata-xmlrpc 2023-04-18 14:07:25 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1823 https://access.redhat.com/errata/RHSA-2023:1823
Comment 16 errata-xmlrpc 2023-04-18 14:07:26 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1824 https://access.redhat.com/errata/RHSA-2023:1824
Comment 17 Product Security DevOps Team 2023-04-18 19:36:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1668
Comment 20 errata-xmlrpc 2023-06-06 14:11:47 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:3491 https://access.redhat.com/errata/RHSA-2023:3491
Note You need to log in before you can comment on or make changes to this bug.