CVE-2017-14970
https://notcve.org/view.php?id=CVE-2017-14970
In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. NOTE: the vendor disputes the relevance of this report, stating "it can only be triggered by an OpenFlow controller, but OpenFlow controllers have much more direct and powerful ways to force Open vSwitch to allocate memory, such as by inserting flows into the flow table." En lib/ofp-util.c en Open vSwitch (OvS) en versiones anteriores a 2.8.1, hay múltiples fugas de memoria al analizar sintácticamente mensajes mod grupales OpenFlow malformados. NOTA: El proveedor discute la relevancia de este informe, diciendo que "solo puede ser iniciado mediante un controlador OpenFlow, pero los controladores OpenFlow tienen formas mucho más directas y poderosas para forzar a Open vSwitch a asignar memoria, como insertando flujos en la tabla de flujo". • https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html • CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2017-9263 – openvswitch: Invalid processing of a malicious OpenFlow role status message
https://notcve.org/view.php?id=CVE-2017-9263
In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message, there is a call to the abort() function for undefined role status reasons in the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a malicious switch. En Open vSwitch (OvS) versión 2.7.0, mientras se analiza un mensaje de estado de rol de OpenFlow, se llama a la función abort() por motivos de estado de rol indefinido en la función “ofp_print_role_status_message” en la biblioteca “lib/ofp-print.c” que puede ser aprovechada para un ataque de DoS remota mediante una interrupción maliciosa. While parsing an OpenFlow role status message Open vSwitch (OvS), a call to the abort() function for undefined role status reasons in the function 'ofp_print_role_status_message' in 'lib/ofp-print.c' could be misused for a remote denial of service attack by a malicious switch. • https://access.redhat.com/errata/RHSA-2017:2418 https://access.redhat.com/errata/RHSA-2017:2553 https://access.redhat.com/errata/RHSA-2017:2648 https://access.redhat.com/errata/RHSA-2017:2665 https://access.redhat.com/errata/RHSA-2017:2692 https://access.redhat.com/errata/RHSA-2017:2698 https://access.redhat.com/errata/RHSA-2017:2727 https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332966.html https://access.redhat.com/security/cve/CVE-2017-9263 https://bugzil • CWE-20: Improper Input Validation •
CVE-2017-9264 – openvswitch: Buffer over-read while parsing malformed TCP, UDP and IPv6 packets
https://notcve.org/view.php?id=CVE-2017-9264
In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS) 2.6.1, there is a buffer over-read while parsing malformed TCP, UDP, and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`, and `extract_l4_udp` that can be triggered remotely. En la biblioteca lib/conntrack.c en la implementación del firewall en Open vSwitch (OvS) versión 2.6.1, se presenta una lectura excesiva del búfer mientras se analizan los paquetes TCP, UDP e IPv6 malformados en las funciones “extract_l3_ipv6”, “extract_l4_tcp” y “extract_l4_udp” que pueden ser activadas remotamente. A buffer over-read was found in the Open vSwitch (OvS) firewall implementation. This flaw can be triggered by parsing a specially crafted TCP, UDP, or IPv6 packet. A remote attack could use this flaw to cause a Denial of Service (DoS). • https://access.redhat.com/errata/RHSA-2017:2418 https://access.redhat.com/errata/RHSA-2017:2648 https://access.redhat.com/errata/RHSA-2017:2727 https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329323.html https://access.redhat.com/security/cve/CVE-2017-9264 https://bugzilla.redhat.com/show_bug.cgi?id=1457329 • CWE-122: Heap-based Buffer Overflow CWE-125: Out-of-bounds Read •
CVE-2017-9265 – openvswitch: Buffer over-read while parsing the group mod OpenFlow message
https://notcve.org/view.php?id=CVE-2017-9265
In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing the group mod OpenFlow message sent from the controller in `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`. En Open vSwitch (OvS) versión 2.7.0, se presenta una lectura excesiva del búfer mientras se analiza el mensaje group mod OpenFlow enviado desde el controlador en la biblioteca “lib/ofp-util.c” en la función “ofputil_pull_ofp15_group_mod”. A buffer over-read issue was found in Open vSwitch (OvS) which emerged while parsing the GroupMod OpenFlow messages sent from the controller. The issue could enable an attacker to cause a denial of service type of attack. • https://access.redhat.com/errata/RHSA-2017:2418 https://access.redhat.com/errata/RHSA-2017:2553 https://access.redhat.com/errata/RHSA-2017:2648 https://access.redhat.com/errata/RHSA-2017:2665 https://access.redhat.com/errata/RHSA-2017:2692 https://access.redhat.com/errata/RHSA-2017:2698 https://access.redhat.com/errata/RHSA-2017:2727 https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html https://access.redhat.com/security/cve/CVE-2017-9265 https://bugzil • CWE-122: Heap-based Buffer Overflow CWE-125: Out-of-bounds Read •
CVE-2016-10377
https://notcve.org/view.php?id=CVE-2016-10377
In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch to read past the end of the packet buffer due to an unsigned integer underflow in `lib/flow.c` in the function `miniflow_extract`, permitting remote bypass of the access control list enforced by the switch. En Open vSwitch (OvS) versión 2.5.0, un paquete IP malformado puede hacer que el conmutador lea más allá del final del búfer de paquetes debido a un desbordamiento de enteros sin signo en `lib/flow.c` en la función` miniflow_extract`, permitiendo eludir la lista de control de acceso forzada por el conmutador. • https://mail.openvswitch.org/pipermail/ovs-dev/2016-July/319503.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •