[ovs-discuss] Open vSwitch 2.12.x ≤ 2.12.3, 2.14.x ≤ 2.14.2 Local Denial of Service Vulnerability CVE-2021-36980

[Paulsen, Markus]

Dear Open vSwitch,

I'm reaching out as a member of the Siemens Vulnerability Monitoring (SVM) team, responsible for informing Siemens customers and employees about vulnerabilities affecting third-party components. We focus in vulnerability analysis and rely mostly on publicly available information, without reproducing reported exploits.

We are currently investigating the vulnerabilities with the assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-36980, which the NVD describes as: "Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action". A more detailed description was created by Google in their post: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/openvswitch/OSV-2020-2197.yaml

Therefore we are reaching out to you in order to ask: Can you confirm the information in the post from Google and if yes, could you please shortly elaborate at what dates the releases of the versions 2.12.4 and 2.14.3 (containing https://github.com/openvswitch/ovs/commit/9926637a80d0d243dbf9c49761046895e9d1a8e2 and https://github.com/openvswitch/ovs/commit/8ce8dc34b5f73b30ce0c1869af9947013c3c6575) can be expected? This information would help us to inform our users accordingly.

Grateful for your attention.

With best regards,

Markus Paulsen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20210720/636f2939/attachment-0001.html>