[ovs-dev] Bug#863655: openvswitch: CVE-2017-9263
HI Ben, On Mon, May 29, 2017 at 01:35:58PM -0700, Ben Pfaff wrote: > notfound 863655 2.3.0+git20140819-1 > found 863655 2.6.2~pre+git20161223-3 > severity 863655 normal > thanks > > On Mon, May 29, 2017 at 09:44:13PM +0200, Salvatore Bonaccorso wrote: > > Source: openvswitch > > Version: 2.3.0+git20140819-1 > > Severity: important > > Tags: security upstream patch > > > > Hi, > > > > the following vulnerability was published for openvswitch. > > > > CVE-2017-9263[0]: > > | In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status > > | message, there is a call to the abort() function for undefined role > > | status reasons in the function `ofp_print_role_status_message` in > > | `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a > > | malicious switch. > > This doesn't really make sense. For a "malicious switch" to leverage > this as a remote DoS, the controller that it talks to has to be > implemented using the OVS code in question. OVS 2.3 as packaged for > Debian doesn't include a controller, > > Open vSwitch 2.6.2 includes two controllers. The first one, > ovs-testcontroller, is not vulnerable to this in the default > configuration, because it does not print such messages even if it > receives them, unless it is specially configured to do so. The second > one, ovn-controller, only talks to Open vSwitch directly, not to > arbitrary switches, and only over a trusted Unix domain socket anyway. > In any case, if either of these crashes due to this bug, they > automatically restart themselves. Thanks for your reply (much appreciated) and this analysis! I adjusted the security-tracker information. > So, while it is a good idea to fix this, it's not high severity. Yes might be ok indeed. Regards, Salvatore ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] Bug#863661: openvswitch: CVE-2017-9264
Hi On Mon, May 29, 2017 at 04:35:30PM -0700, Ben Pfaff wrote: > severity 863661 normal > thanks > > On Mon, May 29, 2017 at 10:14:49PM +0200, Salvatore Bonaccorso wrote: > > Source: openvswitch > > Version: 2.6.2~pre+git20161223-3 > > Severity: important > > Tags: patch upstream security > > > > Hi, > > > > the following vulnerability was published for openvswitch. > > > > CVE-2017-9264[0]: > > | In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS) > > | 2.6.1, there is a buffer over-read while parsing malformed TCP, UDP, > > | and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`, > > | and `extract_l4_udp` that can be triggered remotely. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > This only affects the userspace datapath, most often used in the context > of DPDK, which isn't enabled in the Debian packaging. In addition, the > fact that it's a buffer overread (which makes it difficult to use to > crash OVS or change its behavior) and the fact that end-to-end TCP > checksum verification would catch it leads me to believe that this is > only "normal" severity, so I'm updating it (with this email). Thanks for the analysis. In this case I think normal is ok. Regards, Salvatore ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] Bug#863662: openvswitch: CVE-2017-9265
Source: openvswitch Version: 2.6.2~pre+git20161223-3 Severity: normal Tags: upstream patch security Hi, the following vulnerability was published for openvswitch. CVE-2017-9265[0]: | In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing | the group mod OpenFlow message sent from the controller in | `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`. this should be only in the OpenFlow 1.5+ support, not sure the message mentions this is not enabled by default. Affected source it as least there. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9265 [1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html Regards, Salvatore ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] Bug#863661: openvswitch: CVE-2017-9264
Source: openvswitch Version: 2.6.2~pre+git20161223-3 Severity: important Tags: patch upstream security Hi, the following vulnerability was published for openvswitch. CVE-2017-9264[0]: | In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS) | 2.6.1, there is a buffer over-read while parsing malformed TCP, UDP, | and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`, | and `extract_l4_udp` that can be triggered remotely. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9264 [1] https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329323.html Regards, Salvatore ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] Bug#863228: openvswtich: CVE-2017-9214
Package: openvswitch Version: 2.6.2~pre+git20161223-3 Severity: important Tags: patch upstream security Hi the following vulnerability was published for openvswitch. CVE-2017-9214[0]: | In Open vSwitch (OvS) 2.7.0, while parsing an | OFPT_QUEUE_GET_CONFIG_REPLY type OFP 1.0 message, there is a buffer | over-read that is caused by an unsigned integer underflow in the | function `ofputil_pull_queue_get_config_reply10` in `lib/ofp-util.c`. The code around the ofputil_pull_queue_get_config_reply* functions has changed quite a bit since the version in stable, so I'm unsure if the issue si there as well. Needs confirmation since similar checks are done. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0]