ID

VAR-202103-0218

CVE

CVE-2020-27827

TITLE

Open vSwitch  Resource Depletion Vulnerability

DESCRIPTION

A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability. Open vSwitch Is vulnerable to a resource exhaustion.Denial of service (DoS) It may be put into a state. Canonical Ubuntu is a set of desktop application-based GNU/Linux operating system developed by British company Canonical. A security vulnerability exists in the Ubuntu lldp software that could be exploited by an attacker to trigger a denial of service attack. The following products and models are affected: Ubuntu 20.10 openvswitch-common, Ubuntu 20.04 LTS openvswitch-common Ubuntu 18.04 LTS openvswitch-common, Ubuntu 16.04 LTS: openvswitch-common. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Virtualization Host security, bug fix and enhancement update (4.4.4-2) Advisory ID: RHSA-2021:0976-01 Product: Red Hat Virtualization Advisory URL: https://access.redhat.com/errata/RHSA-2021:0976 Issue date: 2021-03-23 CVE Names: CVE-2020-27827 ==================================================================== 1. Summary: An update for imgbased, redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: RHEL 8-based RHEV-H for RHEV 4 (build requirements) - noarch, x86_64 Red Hat Virtualization 4 Hypervisor for RHEL 8 - noarch 3. Description: The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The following packages have been upgraded to a later upstream version: redhat-release-virtualization-host (4.4.4), redhat-virtualization-host (4.4.4) Changes to the imgbased component: * Previously, the chronyd symlink was removed during the upgrade process. As a result, the chronyd service was disabled following the upgrade. In this release, the chronyd service is enabled after upgrade. (BZ#1903777) Security Fix(es): * lldp/openvswitch: denial of service via externally triggered memory leak (CVE-2020-27827) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/2974891 5. Bugs fixed (https://bugzilla.redhat.com/): 1903777 - chronyd is disabled after upgrading RHV-H 4.4.2 -> 4.4.3 1915877 - Rebase RHV-H 4.4.4 on RHEL 8.3.1 1916659 - Upgrade imgbased to 1.2.16 1921438 - CVE-2020-27827 lldp/openvswitch: denial of service via externally triggered memory leak 1932763 - Rebase RHV-H 4.4.4 on FDP 2.11 (21B) 6. Package List: Red Hat Virtualization 4 Hypervisor for RHEL 8: Source: redhat-virtualization-host-4.4.4-20210307.0.el8_3.src.rpm noarch: redhat-virtualization-host-image-update-4.4.4-20210307.0.el8_3.noarch.rpm RHEL 8-based RHEV-H for RHEV 4 (build requirements): Source: redhat-release-virtualization-host-4.4.4-2.el8ev.src.rpm noarch: redhat-virtualization-host-image-update-placeholder-4.4.4-2.el8ev.noarch.rpm x86_64: redhat-release-virtualization-host-4.4.4-2.el8ev.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-27827 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFo5HtzjgjWX9erEAQhMtg//Wr6sNIkXoFWvB1Rf6IrjG6mumtZtQROR 7AucVC7FRmoyeqy+HiURXUdyBT4JiapEswPlEqI5Lg1s1pIfm0ONf4vf8CAXr6in u8T6LHR4rREldydYTFoW15KV7fl5O1pKV0m+xsmx6a8Ark9CZvA31x5rdexYEPHI GDjUOc7jh+CF+j+OGsA5mOLoEGTdxSX3j8Wr1rFuTDw+9ceIvddLAPXymc6NVhf7 5NCkRkcDeD/8PPjYYSBE+3c98uANPKGAb0HV+g20wZ46Qn7Jz+gLOYz7RrGDsGH0 yNzGdbZdovCdFkjNp852WswWzK3IK7Qrd3ow52mgweMlqxIMXJ/X7500D94DDiAs F1pkS+qKRdlR6RHfH5yuTBcugmTghDKkrt1+zsXdOja+/f5+Pc3JRIhz6wZIjEsC ZYezIyFhWjQHlkakmMRzdlFXboBNhBr5mGn7z2t0E2aoz/1j+tG7UbIp++HXFxqq 2hdIKGbCn/ETbKE5z3YEq+9Sndezg0GUsSpJTO2R8xre/O3P9bKdSphSF4e4gk0U CTjVTC1BrKUVQ5REb1trJqTHLHk6/igSg24Glez8ztE0WrKc2ncw0NYx8dDYtU7O XTrP6O6oPxU9zTd+22Dh5L/hVLsXndkBZSsoAdKoRBQ51P0WZlxNWObehIz3ZRhf Q5Xmbi8UbaY=QNMM -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. For the stable distribution (buster), these problems have been fixed in version 2.10.6+ds1-0+deb10u1. For the detailed security status of openvswitch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openvswitch Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmALHj0ACgkQEMKTtsN8 TjaYHw/6Atkb8+AS+g8R3FpNe0L+Eqie3RzZ1ZOhbJTvkBzeKdusw4dNk7DfsbJt uy/b2hHvooR+MQVpxeDXD/Azpf+k7b1m3LZ7P/fKKsXDmuMX6jge8rai8DZyJdfI IRYjU+yqd6z9ytKRg8bPcXgG/1hmdMznunBdpdLKQnmtH2EsVrflAaqAkABqVjO6 X0NHzUsRrI0yXWLDI3pqD7bc8Oq/TFtHi6BCBVxk3VPegBC3CzAelPfHu5KJeSKC lOyrmc+ut/HbXJexRFzkrrNQsYB2M7/ZgJLv0XQmYaP7vnpu09xaaqYBreCIp8Q9 DZmCy9pLVzop0WNJzdLnRbwhBB2eBZF6qyax6ldvifcN/QAnLLC4Zzg1eNdktrPE Dq9rJ/6U56DycmqKrlyKvlpTHM0IJ4+4TI5yM4OL2/wDkT/Mfjr7lwQbo/Xafy/X +vviNQGFd2z/8aIdkc0auPhGle/VME+mlBBLCNU47HrfaWTIR94PFjKfmTL/9dzM VRz6TfS5yG9kCi9H1xB/94q50no186IVUh5+Jr7SnfCr0sSm5ahNIIEtg5lmvqHd pUDZD7tO0uvcMUIV06xXSealz1ECKzwB0ZaJYfngOZ/KnBr7opZsDXm0wRVZdSBN DFZQX3XNSM1Gi0xHlV6uYQgi2HRuPk5QdW2TqmEN7XUNeQ9xdpI= =BZCg -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202311-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Open vSwitch: Multiple Vulnerabilities Date: November 26, 2023 Bugs: #765346, #769995, #803107, #887561 ID: 202311-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple denial of service vulnerabilites have been found in Open vSwitch. Background ========= Open vSwitch is a production quality multilayer virtual switch. Affected packages ================ Package Vulnerable Unaffected -------------------- ------------ ------------ net-misc/openvswitch < 2.17.6 >= 2.17.6 Description ========== Multiple vulnerabilities have been discovered in Open vSwitch. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Open vSwitch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/openvswitch-2.17.6" References ========= [ 1 ] CVE-2020-27827 https://nvd.nist.gov/vuln/detail/CVE-2020-27827 [ 2 ] CVE-2020-35498 https://nvd.nist.gov/vuln/detail/CVE-2020-35498 [ 3 ] CVE-2021-3905 https://nvd.nist.gov/vuln/detail/CVE-2021-3905 [ 4 ] CVE-2021-36980 https://nvd.nist.gov/vuln/detail/CVE-2021-36980 [ 5 ] CVE-2022-4337 https://nvd.nist.gov/vuln/detail/CVE-2022-4337 [ 6 ] CVE-2022-4338 https://nvd.nist.gov/vuln/detail/CVE-2022-4338 [ 7 ] CVE-2023-1668 https://nvd.nist.gov/vuln/detail/CVE-2023-1668 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202311-16 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

memory leak

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-11-20T21:17:09.815000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE