Bug 769995 (CVE-2020-35498)

Summary:	<net-misc/openvswitch-2.15.0: limitation in the OVS packet parsing in userspace leads to DoS (CVE-2020-35498)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	prometheanfire, virtualization
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://mail.openvswitch.org/pipermail/ovs-announce/2021-February/000271.html
Whiteboard:	B3 [glsa+ cve]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-02-11 01:51:15 UTC

CVE-2020-35498:

Multiple versions of Open vSwitch are vulnerable to potential problems
like denial of service attacks, in which crafted network packets could
cause the packet lookup to ignore network header fields from layers 3
and 4.

Both kernel and userspace datapaths are affected, including DPDK enabled
Open vSwitch (OVS-DPDK) as an example of the latter.

The crafted network packet is an ordinary IPv4 or IPv6 packet with
Ethernet padding length above 255 bytes. This causes the packet sanity
check to abort parsing header fields after layer 2.

When that situation happens, the classifier will use an unexpected set
of header fields. This could cause the packet lookup to either match
on unintended flows or return the default table miss action 'drop'.

As a consequence, the datapath can be instructed to match on an
incorrect range of packets with an action to drop them, for example.
Further legit traffic could hit the cached flow preventing it to
expire extending the situation.


Patch (in 2.14.2): https://github.com/openvswitch/ovs/commit/59b588604b89e85b463984ba08a99badb4fcba15

Please bump.

Comment 1 John Helmert III archtester

2021-03-19 03:43:38 UTC

Ping

Comment 2 Larry the Git Cow gentoo-dev

2021-06-05 20:41:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e7539efe063efccea4bb469643ce76de1368e1c

commit 5e7539efe063efccea4bb469643ce76de1368e1c
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2021-06-05 20:41:26 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2021-06-05 20:41:41 +0000

    net-misc/openvswitch: 2.15.0 bump
    
    Bug: https://bugs.gentoo.org/769995
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 net-misc/openvswitch/Manifest                  |   1 +
 net-misc/openvswitch/openvswitch-2.15.0.ebuild | 144 +++++++++++++++++++++++++
 2 files changed, 145 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2021-06-05 20:46:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9541eceef95f8758d466afd02eae7fd33555717

commit d9541eceef95f8758d466afd02eae7fd33555717
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2021-06-05 20:46:45 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2021-06-05 20:46:52 +0000

    net-misc/openvswitch: 2.15.0 fast stable for cve
    
    Bug: https://bugs.gentoo.org/769995
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 net-misc/openvswitch/openvswitch-2.15.0.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comment 4 John Helmert III archtester

2021-06-06 03:38:08 UTC

Please cleanup when ready, though might be good to wait a couple days in case of any regressions.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:24:09 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:32:35 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:40:29 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 17:48:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 18:04:35 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 18:12:53 UTC

Package list is empty or all packages have requested keywords.

Comment 11 Larry the Git Cow gentoo-dev

2023-11-26 10:07:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=6109db58da8356109819f2e31a15acb75bbd5b61

commit 6109db58da8356109819f2e31a15acb75bbd5b61
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-26 10:06:58 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-26 10:07:30 +0000

    [ GLSA 202311-16 ] Open vSwitch: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/765346
    Bug: https://bugs.gentoo.org/769995
    Bug: https://bugs.gentoo.org/803107
    Bug: https://bugs.gentoo.org/887561
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-16.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)