[ovs-dev] Bug#863655: openvswitch: CVE-2017-9263
Ben Pfaff
blp at ovn.org
Mon May 29 20:35:58 UTC 2017
notfound 863655 2.3.0+git20140819-1
found 863655 2.6.2~pre+git20161223-3
severity 863655 normal
thanks
On Mon, May 29, 2017 at 09:44:13PM +0200, Salvatore Bonaccorso wrote:
> Source: openvswitch
> Version: 2.3.0+git20140819-1
> Severity: important
> Tags: security upstream patch
>
> Hi,
>
> the following vulnerability was published for openvswitch.
>
> CVE-2017-9263[0]:
> | In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status
> | message, there is a call to the abort() function for undefined role
> | status reasons in the function `ofp_print_role_status_message` in
> | `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a
> | malicious switch.
This doesn't really make sense. For a "malicious switch" to leverage
this as a remote DoS, the controller that it talks to has to be
implemented using the OVS code in question. OVS 2.3 as packaged for
Debian doesn't include a controller,
Open vSwitch 2.6.2 includes two controllers. The first one,
ovs-testcontroller, is not vulnerable to this in the default
configuration, because it does not print such messages even if it
receives them, unless it is specially configured to do so. The second
one, ovn-controller, only talks to Open vSwitch directly, not to
arbitrary switches, and only over a trusted Unix domain socket anyway.
In any case, if either of these crashes due to this bug, they
automatically restart themselves.
So, while it is a good idea to fix this, it's not high severity.
More information about the dev
mailing list