ID

VAR-202204-2114


CVE

CVE-2022-0669


TITLE

DPDK  of  data plane development kit  Vulnerabilities in Products from Other Vendors

Trust: 0.8

sources: JVNDB: JVNDB-2022-016014

DESCRIPTION

A flaw was found in dpdk. This flaw allows a malicious vhost-user master to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages that are not closed by the vhost-user slave. By sending such messages continuously, the vhost-user master exhausts available fd in the vhost-user slave process, leading to a denial of service. DPDK of data plane development kit Products from other vendors have unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. The oldstable distribution (buster) is not affected. For the stable distribution (bullseye), these problems have been fixed in version 20.11.5-1~deb11u1. We recommend that you upgrade your dpdk packages. For the detailed security status of dpdk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dpdk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJz7AsACgkQEMKTtsN8 TjYeyw/9ECSTRzzVxG0vfic14yz4vbKTayFN7hGkMwIrtpAT+iNcwR/QVznY+sPB VZxnqNRprXz4cXkTHFrIdaur7QFtGE997Eim4gDt52dmtViaKYTqx/I18dGxLnUq Vz+pck34hlAJjQA2qqF4OEaZi6p6u+RltwVN1A1GKQ/EBZ2F1xz1BCpBsXgEmB5J /GXpnBGMp7vlgveiMNDbkhPO0I4aGrmcMhPY5zIKv+ujjNZozxlqRIK83dkzdyoP 0QWoRMI3e3ANNkxLuKOBUK5f3LQf/No0xivxufN36sIEUK0WjLvDFhmt3Bt4FI+P 1j1YAvcc+LSXF7o+yNeD7tN1NguPX/kNiH1MjnimyOf803Fe4sdlwIGadHagf7P4 eEA9gGxCtM4NEydTLAGFw4dqJki9S3JJtA5m9Lw3/ZjhFg8stfM2iVDD45pmROZi LlxjjfmFH0vaQFG2nh/qXENwosk3D3Sl/o7Pinl6yWM/QstlyM6aXGYQLb9edyfS BRv2R/EsaqICA2rFN0W7dDI1eED6GVLJRGY2Hl+sV+n/ezerlIi87JTZ6c3625rv 7izW/Gzns7Az5KmDIi8wjAD1bzYq0M6zRFp9kbZc1M1s5iEvXEIsQpwg9QENGcgS Yv/7+a5NtWSih4e6enBQ0FqAHBUpNjz+q+qL8U5WovpuifsmrIM= =cq6B -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-5401-1 May 04, 2022 dpdk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 21.10 - Ubuntu 20.04 LTS Summary: Several security issues were fixed in DPDK. Software Description: - dpdk: set of libraries for fast packet processing Details: Wenxiang Qian discovered that DPDK incorrectly checked certain payloads. An attacker could use this issue to cause DPDK to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-3839) It was discovered that DPDK incorrectly handled inflight type messages. An attacker could possibly use this issue to cause DPDK to consume resources, leading to a denial of service. (CVE-2022-0669) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: dpdk 21.11.1-0ubuntu0.3 Ubuntu 21.10: dpdk 20.11.5-0ubuntu1 Ubuntu 20.04 LTS: dpdk 19.11.12-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openvswitch2.15 security update Advisory ID: RHSA-2022:4787-01 Product: Fast Datapath Advisory URL: https://access.redhat.com/errata/RHSA-2022:4787 Issue date: 2022-05-27 CVE Names: CVE-2021-3839 CVE-2022-0669 ===================================================================== 1. Summary: An update for openvswitch2.15 is now available in Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Fast Datapath for Red Hat Enterprise Linux 8 - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Security Fix(es): * openvswitch2.15: DPDK: Out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash (CVE-2021-3839) * openvswitch2.15: DPDK: Sending vhost-user-inflight type messages could lead to DoS (CVE-2022-0669) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Users of openvswitch2.15 are advised to upgrade to these updated packages, which fix these bugs. 5. Bugs fixed (https://bugzilla.redhat.com/): 2025882 - CVE-2021-3839 DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash 2055793 - CVE-2022-0669 dpdk: sending vhost-user-inflight type messages could lead to DoS 2070343 - Failed to read database with dns hostname address 2080271 - [22.D RHEL-8] Fast Datapath Release 6. Package List: Fast Datapath for Red Hat Enterprise Linux 8: Source: openvswitch2.15-2.15.0-99.el8fdp.src.rpm aarch64: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.aarch64.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.aarch64.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.aarch64.rpm noarch: openvswitch2.15-test-2.15.0-99.el8fdp.noarch.rpm ppc64le: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.ppc64le.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.ppc64le.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.ppc64le.rpm s390x: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.s390x.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.s390x.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.s390x.rpm x86_64: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.x86_64.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.x86_64.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3839 https://access.redhat.com/security/cve/CVE-2022-0669 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYpEx5NzjgjWX9erEAQilcQ/9E4LMCyo2/tSJR13aOP2BQO99IqKG770u 9Rp9+aGCp1QyurzrYGjn7WXwe0DBHTRNQVaHdJLHzmZAeSNZilXoAg620VzoKSu/ rhVtfy+EJU22H/OVkAUhExcEUIJRB0zQk6CadScdl25BUE/LNCPa2DJiTOMVi2yF G76OloY8FoI1nWVPKGetMMmI6LqOP3Bd+JwD2VG5t+krqmQSD4wKkVrcwS4TLjQm H9ZCRgg4D5G00CgYuEtetMf4A4C23n1Fd9oEdwEbPN2Q7ddSWJ1eNZ1q76p6oPtl sA7A6MXIdz3j05JjdnPRNKTJvXWnwtGYXx114UKWcSgJUYnsqCyd2auhPZSkP7iC 34z2FLzDOV7VeF2gnQTJj0h9iwpJOtcnzwC0X8w94yES5rxXKp5UHB8CiFNkUu6g lqlQKiF1JPmisJBfdlAFC1+Hs/mgJwosNq3JD5nbIaM6410YQk+TEZ331ssjVjFy Bs60J/v++KxAooPqnn0q3dbQsV1ne9pRdpiBWAzkX7mHp8ZRHscBi6zISv6CKDft 2b1CHllt/m35nUF0f6dRlJdbu/mKFixcJWiO3nqrD4TmYprl016VJ73bN30CEJIS GOdd7+rl8it4cuWDAzG7H2aTGnGSSwUr5lOkR9+hKNrO7Fel6n3PrdHS/igJMw7L 5WnVACaEc60= =WSAK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.25

sources: NVD: CVE-2022-0669 // JVNDB: JVNDB-2022-016014 // VULHUB: VHN-415255 // VULMON: CVE-2022-0669 // PACKETSTORM: 169321 // PACKETSTORM: 167299 // PACKETSTORM: 166960 // PACKETSTORM: 167294 // PACKETSTORM: 167298

AFFECTED PRODUCTS

vendor:dpdkmodel:data plane development kitscope:eqversion:22.03

Trust: 1.0

vendor:dpdkmodel:data plane development kitscope:eqversion:19.11

Trust: 1.0

vendor:dpdkmodel:data plane development kitscope:ltversion:22.03

Trust: 1.0

vendor:openvswitchmodel:openvswitchscope:eqversion:2.13.0

Trust: 1.0

vendor:dpdkmodel:data plane development kitscope:gteversion:20.02

Trust: 1.0

vendor:openvswitchmodel:openvswitchscope:eqversion:2.15.0

Trust: 1.0

vendor:redhatmodel:openshift container platformscope:eqversion:4.0

Trust: 1.0

vendor:レッドハットmodel:red hat openshift container platformscope: - version: -

Trust: 0.8

vendor:dpdkmodel:data plane development kitscope: - version: -

Trust: 0.8

vendor:open vswitchmodel:open vswitchscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-016014 // NVD: CVE-2022-0669

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-0669
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-0669
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202204-4638
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-0669
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.0
impactScore: 4.0
version: 3.1

Trust: 1.0

NVD: CVE-2022-0669
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-016014 // CNNVD: CNNVD-202204-4638 // NVD: CVE-2022-0669

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-016014 // NVD: CVE-2022-0669

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202204-4638

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-202204-4638

PATCH

title:DPDK Remediation of resource management error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=194046

Trust: 0.6

title:Debian CVElist Bug Report Logs: dpdk: CVE-2021-3839 and CVE-2022-0669url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=b8bc18397e85f273082ea70c4090f82d

Trust: 0.1

title:Ubuntu Security Notice: USN-5401-1: DPDK vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5401-1

Trust: 0.1

title:Debian Security Advisories: DSA-5130-1 dpdk -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=c1652914039a5559306521c55fe28d7e

Trust: 0.1

sources: VULMON: CVE-2022-0669 // CNNVD: CNNVD-202204-4638

EXTERNAL IDS

db:NVDid:CVE-2022-0669

Trust: 3.9

db:PACKETSTORMid:166960

Trust: 0.8

db:PACKETSTORMid:167299

Trust: 0.8

db:JVNDBid:JVNDB-2022-016014

Trust: 0.8

db:AUSCERTid:ESB-2022.3284

Trust: 0.6

db:AUSCERTid:ESB-2022.2695

Trust: 0.6

db:CS-HELPid:SB2022052515

Trust: 0.6

db:CS-HELPid:SB2022053026

Trust: 0.6

db:CNNVDid:CNNVD-202204-4638

Trust: 0.6

db:PACKETSTORMid:167294

Trust: 0.2

db:PACKETSTORMid:167298

Trust: 0.2

db:VULHUBid:VHN-415255

Trust: 0.1

db:VULMONid:CVE-2022-0669

Trust: 0.1

db:PACKETSTORMid:169321

Trust: 0.1

sources: VULHUB: VHN-415255 // VULMON: CVE-2022-0669 // JVNDB: JVNDB-2022-016014 // PACKETSTORM: 169321 // PACKETSTORM: 167299 // PACKETSTORM: 166960 // PACKETSTORM: 167294 // PACKETSTORM: 167298 // CNNVD: CNNVD-202204-4638 // NVD: CVE-2022-0669

REFERENCES

url:https://access.redhat.com/security/cve/cve-2022-0669

Trust: 3.4

url:https://bugs.dpdk.org/show_bug.cgi?id=922

Trust: 2.5

url:https://bugzilla.redhat.com/show_bug.cgi?id=2055793

Trust: 2.5

url:https://github.com/dpdk/dpdk/commit/af74f7db384ed149fe42b21dbd7975f8a54ef227

Trust: 2.5

url:https://security-tracker.debian.org/tracker/cve-2022-0669

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-0669

Trust: 1.3

url:https://www.cybersecurity-help.cz/vdb/sb2022052515

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-0669/

Trust: 0.6

url:https://packetstormsecurity.com/files/167299/red-hat-security-advisory-2022-4786-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3284

Trust: 0.6

url:https://packetstormsecurity.com/files/166960/ubuntu-security-notice-usn-5401-1.html

Trust: 0.6

url:https://vigilance.fr/vulnerability/dpdk-overload-via-inflight-type-messages-38252

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022053026

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2695

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-3839

Trust: 0.5

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.3

url:https://access.redhat.com/articles/11258

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2021-3839

Trust: 0.3

url:https://access.redhat.com/security/team/contact/

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://ubuntu.com/security/notices/usn-5401-1

Trust: 0.2

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010641

Trust: 0.1

url:https://www.debian.org/security/2022/dsa-5130

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://security-tracker.debian.org/tracker/dpdk

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:4786

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/dpdk/21.11.1-0ubuntu0.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/dpdk/20.11.5-0ubuntu1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/dpdk/19.11.12-0ubuntu0.20.04.1

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:4787

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:4788

Trust: 0.1

sources: VULHUB: VHN-415255 // VULMON: CVE-2022-0669 // JVNDB: JVNDB-2022-016014 // PACKETSTORM: 169321 // PACKETSTORM: 167299 // PACKETSTORM: 166960 // PACKETSTORM: 167294 // PACKETSTORM: 167298 // CNNVD: CNNVD-202204-4638 // NVD: CVE-2022-0669

CREDITS

Red Hat

Trust: 0.3

sources: PACKETSTORM: 167299 // PACKETSTORM: 167294 // PACKETSTORM: 167298

SOURCES

db:VULHUBid:VHN-415255
db:VULMONid:CVE-2022-0669
db:JVNDBid:JVNDB-2022-016014
db:PACKETSTORMid:169321
db:PACKETSTORMid:167299
db:PACKETSTORMid:166960
db:PACKETSTORMid:167294
db:PACKETSTORMid:167298
db:CNNVDid:CNNVD-202204-4638
db:NVDid:CVE-2022-0669

LAST UPDATE DATE

2024-08-14T12:19:27.380000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-415255date:2022-09-01T00:00:00
db:JVNDBid:JVNDB-2022-016014date:2023-09-29T08:07:00
db:CNNVDid:CNNVD-202204-4638date:2022-09-02T00:00:00
db:NVDid:CVE-2022-0669date:2022-09-01T20:35:47.027

SOURCES RELEASE DATE

db:VULHUBid:VHN-415255date:2022-08-29T00:00:00
db:JVNDBid:JVNDB-2022-016014date:2023-09-29T00:00:00
db:PACKETSTORMid:169321date:2022-05-28T19:12:00
db:PACKETSTORMid:167299date:2022-05-30T14:06:20
db:PACKETSTORMid:166960date:2022-05-04T21:43:23
db:PACKETSTORMid:167294date:2022-05-30T13:56:31
db:PACKETSTORMid:167298date:2022-05-30T14:05:41
db:CNNVDid:CNNVD-202204-4638date:2022-04-29T00:00:00
db:NVDid:CVE-2022-0669date:2022-08-29T15:15:09.750