Описание
A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.
Отчет
Fixes for OpenShift Container Platform ovn component will be consumed from RHEL Fast Datapath.
Меры по смягчению последствий
Red Hat Product Security has not identified any mitigations at this time. We recommend updating to a known patched version of OVN.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | ovn22.06 | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | ovn22.09 | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | ovn22.12 | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | ovn23.03 | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | ovn23.06 | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | ovn23.09 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | ovn24.03 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | ovn24.09 | Not affected | ||
| Fast Datapath for Red Hat Enterprise Linux 8 | ovn22.03 | Fixed | RHSA-2025:1083 | 05.02.2025 |
| Fast Datapath for Red Hat Enterprise Linux 8 | ovn22.06 | Fixed | RHSA-2025:1084 | 05.02.2025 |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network. OVN provides rudimentary DNS caching as an optional feature to speed up lookups of frequently-used domains. When this feature is enabled, due to the OpenFlow rules that OVN installs in Open vSwitch, it is possible for an attacker to craft a UDP packet that can bypass egress ACL rules. Egress ACL rules are those that have the "direction" set to "to-lport". The OVN installation is vulnerable if a logical switch has DNS records set on it AND if the same switch has any egress ACLs configured on it. The switch is considered to have egress ACLs configured if the switch has an egress ACL configured directly on it using the "ac...
A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.
A flaw was found in the Open Virtual Network (OVN). Specially crafted ...
8.1 High
CVSS3