Bug 2137666 (CVE-2023-1668) - CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling
Summary: CVE-2023-1668 openvswitch: ip proto 0 triggers incorrect handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-1668
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2169004 2169005 2182822 2182823 2182824 2182825 2182826 2182827 2182828 2182829 2182830 2182831 2182832 2182833 2182834 2186245 2186246 2186247 2188027 2210714
Blocks: 2135070
TreeView+ depends on / blocked
 
Reported: 2022-10-25 18:55 UTC by Anten Skrabec
Modified: 2024-04-20 17:04 UTC (History)
35 users (show)

Fixed In Version: ovs 3.1.1, ovs 3.0.4, ovs 2.17.6, ovs 2.16.7, ovs 2.15.8, ovs 2.14.9, ovs 2.13.11
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Clone Of:
Environment:
Last Closed: 2023-04-18 19:36:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1765 0 None None None 2023-04-13 09:04:56 UTC
Red Hat Product Errata RHSA-2023:1766 0 None None None 2023-04-13 09:04:36 UTC
Red Hat Product Errata RHSA-2023:1769 0 None None None 2023-04-13 09:04:49 UTC
Red Hat Product Errata RHSA-2023:1770 0 None None None 2023-04-13 09:05:21 UTC
Red Hat Product Errata RHSA-2023:1823 0 None None None 2023-04-18 14:07:27 UTC
Red Hat Product Errata RHSA-2023:1824 0 None None None 2023-04-18 14:07:31 UTC
Red Hat Product Errata RHSA-2023:3491 0 None None None 2023-06-06 14:11:50 UTC

Description Anten Skrabec 2022-10-25 18:55:24 UTC 
When processing a IP packet with protocol 0, OVS will install datapath flow without action modifying ip header.

This results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wilcarded) for this flow but with an incorrect action.
This may result in incorrect handling of other IP packets with a != 0 IP protocol that match this dp flow.
Such a mishandling might be triggered/exploited remotely.
Comment 2 Martin Perina 2023-03-29 07:31:12 UTC 
Is openvswitch 2.15 on EL8 used by RHV 4.4 SP1 also affected?
Comment 6 Pedro Sampaio 2023-04-06 20:45:45 UTC 
Public:

https://www.openwall.com/lists/oss-security/2023/04/06/1
Comment 8 Patrick Del Bello 2023-04-12 14:28:23 UTC 
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 2186245]


Created ovn tracking bugs for this issue:

Affects: fedora-all [bug 2186246]


Created rdo-openvswitch tracking bugs for this issue:

Affects: openstack-rdo [bug 2186247]
Comment 9 errata-xmlrpc 2023-04-13 09:04:34 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1766 https://access.redhat.com/errata/RHSA-2023:1766
Comment 10 errata-xmlrpc 2023-04-13 09:04:47 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2023:1769 https://access.redhat.com/errata/RHSA-2023:1769
Comment 11 errata-xmlrpc 2023-04-13 09:04:53 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1765 https://access.redhat.com/errata/RHSA-2023:1765
Comment 12 errata-xmlrpc 2023-04-13 09:05:19 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 9

Via RHSA-2023:1770 https://access.redhat.com/errata/RHSA-2023:1770
Comment 15 errata-xmlrpc 2023-04-18 14:07:25 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1823 https://access.redhat.com/errata/RHSA-2023:1823
Comment 16 errata-xmlrpc 2023-04-18 14:07:26 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2023:1824 https://access.redhat.com/errata/RHSA-2023:1824
Comment 17 Product Security DevOps Team 2023-04-18 19:36:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1668
Comment 20 errata-xmlrpc 2023-06-06 14:11:47 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:3491 https://access.redhat.com/errata/RHSA-2023:3491
Note You need to log in before you can comment on or make changes to this bug.