StarlingX

[Debian] CVE: CVE-2023-1668: openvswitch incorrect handling of other IP packets with a != 0

Bug #2018640 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Zhixiong Chi

Bug Description

CVE-2023-1668: https://nvd.nist.gov/vuln/detail/CVE-2023-1668

A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

Score:
cve_id status cvss3Score
CVE-2023-1668 fixed 8.82

References:

openvswitch_2.15.0+ds1-2+deb11u4

CVE References

Yue Tao (wrytao)
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
tags: added: stx.9.0 stx.security
Zhixiong Chi (zhixiongchi)
Changed in starlingx:
assignee: nobody → Zhixiong Chi (zhixiongchi)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/882795

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/882795
Committed: https://opendev.org/starlingx/integ/commit/bdb19661ae1059f905667a0baa0b1671ce9e5bbb
Submitter: "Zuul (22348)"
Branch: master

commit bdb19661ae1059f905667a0baa0b1671ce9e5bbb
Author: Zhixiong Chi <email address hidden>
Date: Mon May 8 16:30:30 2023 +0800

    openvswitch: Upgrade to 2.15.0+ds1-2+deb11u4

    Fix CVE-2023-1668.

    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2023-1668

    TestPlan:
    PASS: downloader
    PASS: build-pkgs -a -c
    PASS: build-image
    PASS: Jenkins Installation.
    PASS: dpkg -l |grep openvswitch
    ii openvswitch-common 2.15.0+ds1-2+deb11u4.stx.5
    ii openvswitch-config 1.0.0-1.stx.3
    ii openvswitch-switch 2.15.0+ds1-2+deb11u4.stx.5
    ii openvswitch-switch-dpdk 2.15.0+ds1-2+deb11u4.stx.5

    Closes-Bug: 2018640

    Signed-off-by: Zhixiong Chi <email address hidden>
    Change-Id: I7d88ca38aaf721a77434a70a4304c5f6d34a4a6b

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.