Embargo ends: Monday, March 28
Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:
- Open vSwitch 2.1.x and earlier are not vulnerable.
- In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
exploited for arbitrary remote code execution.
- In Open vSwitch 2.4.x, the MPLS buffer overflow does not
obviously lead to a remote code execution exploit, but testing
shows that it can allow a remote denial of service.
- Open vSwitch 2.5.x is not vulnerable.
For any version of Open vSwitch, preventing MPLS packets from reaching
Open vSwitch mitigates the vulnerability. We do not recommend
attempting to mitigate the vulnerability this way because of the
- Open vSwitch obtains packets before the iptables host firewall,
so iptables on the Open vSwitch host cannot ordinarily block the
- If Open vSwitch is configured to support tunnels, MPLS packets
encapsulated within tunnels must also be prevented from reaching
- If Open vSwitch runs on a hypervisor, MPLS packets from VMs can
also trigger the vulnerability.
We believe that Open vSwitch 2.4 is subject to denial of service only
when debug logging is enabled. By default, debug logging is not
enabled. Users most commonly enable debug logging at runtime using
the "ovs-appctl" utility. When this is the case, the buffer overflow
will crash the ovs-vswitchd daemon once, and then when it
automatically restarts debug logging will be disabled; thus, in this
situation, the vulnerability can only cause a single, brief
interruption in service. Debug logging can also be enabled
persistently using a command-line flag; in this situation, a stream of
crafted MPLS packets could cause an extended denial of service.
Patches to fix these vulnerabilities in Open vSwitch 2.3.x and 2.4.x
are appended. The patch for Open vSwitch 2.3.x also applies to and is
effective for Open vSwitch 2.2.x.
We recommend that users of Open vSwitch 2.3.x or 2.4.x apply the
respective patch, or upgrade to Open vSwitch 2.5.0.
For Open vSwitch 2.4.x only, if it cannot be upgraded expeditiously,
we recommend verifying that debug logging is not enabled on the
command line. This is not effective mitigation for Open vSwitch
Open vSwitch 2.2.x was never officially released. If users of
prerelease versions exist, we recommend that they upgrade to Open
As 2.5.0 is in tree, I'd like to do a fast stablereq on that (amd64/x86) and remove all older releases.
adding arch sec liaisons for fast stablereq of =net-misc/openvswitch-2.5.0
stable for both.
removed bad versions
removing arch contacts
issue public at http://www.openwall.com/lists/oss-security/2016/03/29/1
@ Security: Waiting for GLSA...
This issue was resolved and addressed in
GLSA 201701-07 at https://security.gentoo.org/glsa/201701-07
by GLSA coordinator Thomas Deutschmann (whissi).