StarlingX

[Debian] CVE: CVE-2022-4337 / CVE-2022-4338: openvswitch: multiple CVEs

Bug #2006409 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Yue Tao

Bug Description

CVE-2022-4337: https://nvd.nist.gov/vuln/detail/CVE-2022-4337

An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.

CVE-2022-4338: https://nvd.nist.gov/vuln/detail/CVE-2022-4338

An integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-4337 fixed 9.8 N L N N H
CVE-2022-4338 fixed 8.8 N L N N H

References:
https://security-tracker.debian.org/tracker/CVE-2022-4338

https://security-tracker.debian.org/tracker/CVE-2022-4337

It is a source package, so need to backport source patches

CVE References

Yue Tao (wrytao)
information type: Public → Public Security
tags: added: stx.8.0 stx.security
Changed in starlingx:
importance: Undecided → High
Yue Tao (wrytao)
Changed in starlingx:
assignee: nobody → Yue Tao (wrytao)
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/873054

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: moving to stx.9.0 as current commitment is to only fix CVEs in the stx main branch. The r/stx.8.0 branch has already been created.

tags: added: stx.9.0
removed: stx.8.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/873054
Committed: https://opendev.org/starlingx/integ/commit/64855caf1d3d9835a04bf97cedf13dd1e64c7515
Submitter: "Zuul (22348)"
Branch: master

commit 64855caf1d3d9835a04bf97cedf13dd1e64c7515
Author: Yue Tao <email address hidden>
Date: Wed Feb 8 11:20:56 2023 +0800

    Debian: openvswitch fix CVE-2022-4337 / CVE-2022-4338

    Upgrade openvswitch to 2.15.0+ds1-2+deb11u2

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5319-1

    Test Plan:

    Pass: build
    Pass: boot
    Pass: $dpkg -l |grep openvswitch

    ii openvswitch-common 2.15.0+ds1-2+deb11u2.stx.4 amd64
    ii openvswitch-switch 2.15.0+ds1-2+deb11u2.stx.4 amd64
    ii openvswitch-switch-dpdk 2.15.0+ds1-2+deb11u2.stx.4 amd64

    Closes-Bug: 2006409

    Signed-off-by: Yue Tao <email address hidden>
    Change-Id: I2f0ad32d92e357cde0b18a0d333fafdc2b5592a7

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.