CVE-2023-3966 (https://mail.openvswitch.org/pipermail/ovs-announce/2024-February/000339.html): "Multiple versions of Open vSwitch are vulnerable to crafted Geneve packets causing invalid memory accesses and potential denial of service. Triggering the vulnerability requires that Open vSwitch has flow hardware offload with Linux TC flower enabled (other_config:hw-offload=true). It is not enabled by default. The issue is caused by insufficient validation of Geneve metadata fields in the offload path. Open vSwitch versions 2.12 and newer are affected." CVE-2023-5366 (https://mail.openvswitch.org/pipermail/ovs-announce/2024-February/000340.html): " In multiple versions of Open vSwitch, if OpenFlow rules on a switch contain a match on a Target Address (nd_target) of Neighbor Discovery IPv6 packets (Neighbor Solicitation or Neighbor Advertisement) without also matching on ICMPv6 Code (icmp_code or icmpv6_code) field being zero, the match on the Target Address can be ignored and the specified actions may be executed for a packet with a different Target Address. This constitutes vulnerability if such OpenFlow rules are used in order to provide Neighbor Discovery anti-spoofing protection. For example, the following set of rules may allow packets with any nd_target, even though it should only allow packets with the 2001::1 Target: priority=10 icmp6,icmpv6_type=136,nd_target=2001::1 actions=<allow> priority=0 icmp6 actions=drop The issue is caused by the difference between the OpenFlow specification that only lists ICMPV6 TYPE=135 or ICMPV6 TYPE=136 as a prerequisite for the IPV6_ND_TARGET and datapath implementations that treat ICMPV6_CODE=0 as a requirement for a packet to have the Target Address option. This leads to creation of an overly broad datapath flow that matches packets regardless of the Target Address value. Triggering the issue depends on the order in which packets are seen by the switch. Open vSwitch versions 2.1 and newer are affected." Fixes are in 2.17.9 according to URL.
