Sign-up

ID

VAR-201710-0983


CVE

CVE-2017-14970


TITLE

Open vSwitch Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2017-008466

DESCRIPTION

In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages. NOTE: the vendor disputes the relevance of this report, stating "it can only be triggered by an OpenFlow controller, but OpenFlow controllers have much more direct and powerful ways to force Open vSwitch to allocate memory, such as by inserting flows into the flow table.". Open vSwitch (OvS) Contains a resource exhaustion vulnerability. Vendors are contesting this vulnerability. For details, see NVD of Current Description Please Confirm. https://nvd.nist.gov/vuln/detail/CVE-2017-14970Service operation interruption (DoS) There is a possibility of being put into a state. OpenvSwitch (OvS) is a multi-layer virtual switch product based on open source technology (subject to Apache 2.0 license). It supports large-scale network automation, standard management interfaces and protocols through programming extensions. A security vulnerability exists in the lib/ofp-util.c file in versions prior to OvS 2.8.1. A remote attacker could exploit the vulnerability to cause a denial of service. through programming extensions

Trust: 2.25

sources: NVD: CVE-2017-14970 // JVNDB: JVNDB-2017-008466 // CNVD: CNVD-2017-32356 // VULHUB: VHN-105746

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-32356

AFFECTED PRODUCTS

vendor:openvswitchmodel:openvswitchscope:lteversion:2.8.0

Trust: 1.0

vendor:open vswitchmodel:open vswitchscope:ltversion:2.8.1

Trust: 0.8

vendor:openmodel:vswitch open vswitchscope:ltversion:2.8.1

Trust: 0.6

vendor:openvswitchmodel:openvswitchscope:eqversion:2.8.0

Trust: 0.6

sources: CNVD: CNVD-2017-32356 // JVNDB: JVNDB-2017-008466 // CNNVD: CNNVD-201710-454 // NVD: CVE-2017-14970

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-14970
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-14970
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-32356
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201710-454
value: MEDIUM

Trust: 0.6

VULHUB: VHN-105746
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-14970
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2017-14970
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2017-32356
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-105746
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-14970
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.0

Trust: 1.0

NVD: CVE-2017-14970
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2017-32356 // VULHUB: VHN-105746 // JVNDB: JVNDB-2017-008466 // CNNVD: CNNVD-201710-454 // NVD: CVE-2017-14970

PROBLEMTYPE DATA

problemtype:CWE-772

Trust: 1.1

problemtype:CWE-400

Trust: 0.9

sources: VULHUB: VHN-105746 // JVNDB: JVNDB-2017-008466 // NVD: CVE-2017-14970

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-454

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201710-454

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-008466

PATCH
title:[ovs-dev] [PATCH v4 3/3] ofp-util: Fix memory leaks when parsing OF1.5 group properties.url:https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html
Trust: 0.8
title:[ovs-dev] [PATCH v4 2/3] ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().url:https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html
Trust: 0.8
title:OpenvSwitch denial of service vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/104742
Trust: 0.6
title:Open vSwitch Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75533
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-32356 // 
            
            
            
            JVNDB: JVNDB-2017-008466 // 
            
            
            
            CNNVD: CNNVD-201710-454

EXTERNAL IDS
db:NVDid:CVE-2017-14970
Trust: 3.1
db:JVNDBid:JVNDB-2017-008466
Trust: 0.8
db:CNNVDid:CNNVD-201710-454
Trust: 0.7
db:CNVDid:CNVD-2017-32356
Trust: 0.6
db:VULHUBid:VHN-105746
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-32356 // 
            
            
            
            VULHUB: VHN-105746 // 
            
            
            
            JVNDB: JVNDB-2017-008466 // 
            
            
            
            CNNVD: CNNVD-201710-454 // 
            
            
            
            NVD: CVE-2017-14970

REFERENCES
url:https://mail.openvswitch.org/pipermail/ovs-dev/2017-september/339085.html
Trust: 2.3
url:https://mail.openvswitch.org/pipermail/ovs-dev/2017-september/339086.html
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14970
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-14970
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2017-32356 // 
            
            
            
            VULHUB: VHN-105746 // 
            
            
            
            JVNDB: JVNDB-2017-008466 // 
            
            
            
            CNNVD: CNNVD-201710-454 // 
            
            
            
            NVD: CVE-2017-14970

SOURCES
db:CNVDid:CNVD-2017-32356
db:VULHUBid:VHN-105746
db:JVNDBid:JVNDB-2017-008466
db:CNNVDid:CNNVD-201710-454
db:NVDid:CVE-2017-14970

LAST UPDATE DATE
2024-11-23T22:38:24.214000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-32356date:2017-11-02T00:00:00
db:VULHUBid:VHN-105746date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-008466date:2017-10-19T00:00:00
db:CNNVDid:CNNVD-201710-454date:2019-10-08T00:00:00
db:NVDid:CVE-2017-14970date:2024-11-21T03:13:52.130

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-32356date:2017-11-02T00:00:00
db:VULHUBid:VHN-105746date:2017-10-02T00:00:00
db:JVNDBid:JVNDB-2017-008466date:2017-10-19T00:00:00
db:CNNVDid:CNNVD-201710-454date:2017-10-19T00:00:00
db:NVDid:CVE-2017-14970date:2017-10-02T01:29:00.517