Insufficient validation of incoming BFD packets.

Thanks for the bug, please keep us updated on the progress.

I notice that the patch modifies some tests:

- test "$bfd_cfg" = "enable=true min_rx=2000"
+ test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000"
- test "$bfd_cfg" = "enable=true min_rx=2000 min_tx=1500"
+ test "$bfd_cfg" = "check_tnl_key=true enable=true min_rx=2000 min_tx=1500"
- test "$bfd_cfg" = "enable=true min_tx=1500 mult=15"
+ test "$bfd_cfg" = "check_tnl_key=true enable=true min_tx=1500 mult=15"

If check_tnl_key=true is the default, these do not need to changed, right? Do we need to check the check_tnl_key=false configuration options? Would we want to make sure that in that case the routing control packets can be injected?

Thanks

There has been some discussion on whether it is necessary to make it configurable for end users of OVN, and consensus has arrived at that is not the case. So the patch will be updated to have OVN always set this option on OVS tunnel ports. So a negative test will not be necessary.

The default for the `check_tnl_key` option in OVS will however remain 'false'. This is because it depends on the application consuming OVS and how it configures tunnel ports and designs OpenFlow pipelines whether the `check_tnl_key` option makes sense or not.

For OVN it does make sense because the OVN OpenFlow pipeline design will ensure end user traffic will always have a non-zero tunnel key.

For the test changes they are currently checking all the options OVN deploys into OVS verbatim, so even if OVN now will always set the `check_tnl_key=true` the tests need to include that in the test when confirming the contents of Interface:bfd.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the CVE-2024-2182 identifier to this issue.

The communication from upstream to distros was:

Date: Tue, 5 Mar 2024 17:04:35 +0100
From: Dumitru Ceara <email address hidden>
To: <email address hidden>
CC: Ilya Maximets <email address hidden>, Frode Nordahl <email address hidden>, Mark Michelson <email address hidden>
Subject: [vs-plain] [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets.
X-Mailer: MIME-tools 5.501 (Entity 5.501)
Message-ID: <email address hidden>

I've uploaded both UCA only updates to the staging area for the associated release series.

Hello Frode, or anyone else affected,

Accepted ovn into zed-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:zed-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-zed-needed to verification-zed-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-zed-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Frode, or anyone else affected,

Accepted ovn into antelope-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:antelope-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-antelope-needed to verification-antelope-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-antelope-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hi James,
We are using ovn 22.03 on top of focal from this repo [0] which seems to not have been updated to have the fix for the CVE described here.
Would it be possible for that to get an update as well?
Thank you!

[0] http://ubuntu-cloud.archive.canonical.com/ubuntu/dists/focal-updates/ovn-22.03/

@cvalean - yep - I've just push these updates into ovn-22.03 proposed; as we work through testing they will get released to the updates pocket as well.

This bug was fixed in the package ovn - 24.03.1-2ubuntu1~cloud0
---------------

 ovn (24.03.1-2ubuntu1~cloud0) jammy-caracal; urgency=medium
 .
   * New upstream release for the Ubuntu Cloud Archive.
 .
 ovn (24.03.1-2ubuntu1) noble; urgency=medium
 .
   * d/rules: Fix check for ovs populated from openvswitch-source.
   * d/t/control: Add missing architecture restrictions for
     openvswitch-switch-dpdk.
   * d/t/run-tests.sh: Fix autopkgtest for binary packages (LP: #2057998).
 .
 ovn (24.03.1-2) unstable; urgency=medium
 .
   * Team upload.
   * d/t/run-tests.sh: Fix typo in autopkgtest script.
   * d/rules: Skip tests deemed unstable by upstream.
   * d/skip-tests.txt: Add flaky test to the skip-list.
 .
 ovn (24.03.1-1) unstable; urgency=medium
 .
   * Team upload.
   * d/tests: Run system test suites for autopkgtest.
   * Update upstream source from tag 'upstream/24.03.1'.
     - CVE-2024-2182: Fix insufficient validation of incoming BFD packets
       (LP: #2053113).
 .
 ovn (24.03.0-1) unstable; urgency=medium
 .
   * Team upload.
   * Update upstream source from tag 'upstream/24.03.0'.
   * d/control: Replace pkg-config with pkgconf as build dependency.
   * d/control: Update openvswitch-source build dependency.