Описание
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Отчет
In OpenShift Container Platform (OCP) the openvswitch rpm package is consumed from the RHEL Fast Datapath repositories, hence OCP openvswitch components are marked as "Will not fix".
Меры по смягчению последствий
For any version of Open vSwitch, preventing packets with network protocol number '0' from reaching Open vSwitch will prevent the issue. This is difficult to achieve because Open vSwitch obtains packets before the iptables or nftables host firewall, so iptables or nftables on the Open vSwitch host cannot ordinarily block the vulnerability. Another method would be to add a high priority flow to the flow table explicitly matching on nw protocol '0' and handling that traffic separately: table=0 priority=32768,ip,ip_proto=0 actions=drop This would need to be similarly done for IPv6 traffic as well.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Fast Datapath for RHEL 7 | openvswitch | Out of support scope | ||
| Fast Datapath for RHEL 7 | openvswitch2.10 | Out of support scope | ||
| Fast Datapath for RHEL 7 | openvswitch2.11 | Out of support scope | ||
| Fast Datapath for RHEL 7 | openvswitch2.12 | Out of support scope | ||
| Fast Datapath for RHEL 7 | openvswitch2.13 | Out of support scope | ||
| Fast Datapath for RHEL 8 | openvswitch2.11 | Out of support scope | ||
| Fast Datapath for RHEL 8 | openvswitch2.12 | Out of support scope | ||
| Fast Datapath for RHEL 8 | openvswitch2.16 | Out of support scope | ||
| Fast Datapath for RHEL 9 | openvswitch3.0 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | openvswitch | Out of support scope |
Показывать по
Дополнительная информация
Статус:
8.2 High
CVSS3
Связанные уязвимости
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
A flaw was found in openvswitch (OVS). When processing an IP packet wi ...
8.2 High
CVSS3