On 12/20/22 22:39, Ilya Maximets wrote: > Description > =========== > > Multiple versions of Open vSwitch are vulnerable to crafted LLDP > packets causing denial of service, and data underflow attacks. > Triggering the vulnerabilities requires LLDP processing to be enabled > for a specific port. Open vSwitch versions prior to 2.4.0 are not > vulnerable. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) > did not assign the identifier to this issue yet. The identifier will > be communicated separately.
Following CVE identifiers have been allocated for the issue (one per TLV type since they can have a slightly different effect): - CVE-2022-4337 for Out-of-Bounds Read in Organization Specific TLV - CVE-2022-4338 for Integer Underflow in Organization Specific TLV The fix referenced in this advisory covers both issues. > This issue does not affect the `lldpd' > project, although they share a code base. The issue is related to > parsing the Auto Attach TLVs, which is specific to the Open vSwitch > implementation. > > > Mitigation > ========== > > For any version of Open vSwitch, preventing LLDP packets from reaching > Open vSwitch mitigates the vulnerability. We do not recommend > attempting to mitigate the vulnerability this way because of the > following difficulties: > > - Open vSwitch obtains packets before the iptables host firewall, > so ebtables on the Open vSwitch host cannot ordinarily block the > vulnerability. > > - If Open vSwitch is configured to receive and transmit LLDP > messages, the required functionality will need to be disabled > potentially disrupting the network. > > We have found that Open vSwitch is subject to a denial of service, and > possibly a remote code execution exploit when LLDP processing is enabled > on an interface. By default, interfaces are not configured to process > LLDP messages. > > > Fix > === > > Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer are > applied to the appropriate branches, and the original patch is located > at: > > https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html > > Recommendation > ============== > > We recommend that users of Open vSwitch apply the respective patch, or > upgrade to a known patched version of Open vSwitch. These include: > > * 3.0.3 > * 2.17.5 > * 2.16.6 > * 2.15.7 > * 2.14.8 > * 2.13.10 > > > Acknowledgments > =============== > > The Open vSwitch team wishes to thank the reporter: > > Qian Chen <[email protected]> >
OpenPGP_0xB9F7EC77C829BF96.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
