ID
VAR-202204-2114
CVE
CVE-2022-0669
TITLE
DPDK of data plane development kit Vulnerabilities in Products from Other Vendors
Trust: 0.8
DESCRIPTION
A flaw was found in dpdk. This flaw allows a malicious vhost-user master to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages that are not closed by the vhost-user slave. By sending such messages continuously, the vhost-user master exhausts available fd in the vhost-user slave process, leading to a denial of service. DPDK of data plane development kit Products from other vendors have unspecified vulnerabilities.Service operation interruption (DoS) It may be in a state. The oldstable distribution (buster) is not affected. For the stable distribution (bullseye), these problems have been fixed in version 20.11.5-1~deb11u1. We recommend that you upgrade your dpdk packages. For the detailed security status of dpdk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dpdk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmJz7AsACgkQEMKTtsN8 TjYeyw/9ECSTRzzVxG0vfic14yz4vbKTayFN7hGkMwIrtpAT+iNcwR/QVznY+sPB VZxnqNRprXz4cXkTHFrIdaur7QFtGE997Eim4gDt52dmtViaKYTqx/I18dGxLnUq Vz+pck34hlAJjQA2qqF4OEaZi6p6u+RltwVN1A1GKQ/EBZ2F1xz1BCpBsXgEmB5J /GXpnBGMp7vlgveiMNDbkhPO0I4aGrmcMhPY5zIKv+ujjNZozxlqRIK83dkzdyoP 0QWoRMI3e3ANNkxLuKOBUK5f3LQf/No0xivxufN36sIEUK0WjLvDFhmt3Bt4FI+P 1j1YAvcc+LSXF7o+yNeD7tN1NguPX/kNiH1MjnimyOf803Fe4sdlwIGadHagf7P4 eEA9gGxCtM4NEydTLAGFw4dqJki9S3JJtA5m9Lw3/ZjhFg8stfM2iVDD45pmROZi LlxjjfmFH0vaQFG2nh/qXENwosk3D3Sl/o7Pinl6yWM/QstlyM6aXGYQLb9edyfS BRv2R/EsaqICA2rFN0W7dDI1eED6GVLJRGY2Hl+sV+n/ezerlIi87JTZ6c3625rv 7izW/Gzns7Az5KmDIi8wjAD1bzYq0M6zRFp9kbZc1M1s5iEvXEIsQpwg9QENGcgS Yv/7+a5NtWSih4e6enBQ0FqAHBUpNjz+q+qL8U5WovpuifsmrIM= =cq6B -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-5401-1 May 04, 2022 dpdk vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 21.10 - Ubuntu 20.04 LTS Summary: Several security issues were fixed in DPDK. Software Description: - dpdk: set of libraries for fast packet processing Details: Wenxiang Qian discovered that DPDK incorrectly checked certain payloads. An attacker could use this issue to cause DPDK to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-3839) It was discovered that DPDK incorrectly handled inflight type messages. An attacker could possibly use this issue to cause DPDK to consume resources, leading to a denial of service. (CVE-2022-0669) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: dpdk 21.11.1-0ubuntu0.3 Ubuntu 21.10: dpdk 20.11.5-0ubuntu1 Ubuntu 20.04 LTS: dpdk 19.11.12-0ubuntu0.20.04.1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openvswitch2.15 security update Advisory ID: RHSA-2022:4787-01 Product: Fast Datapath Advisory URL: https://access.redhat.com/errata/RHSA-2022:4787 Issue date: 2022-05-27 CVE Names: CVE-2021-3839 CVE-2022-0669 ===================================================================== 1. Summary: An update for openvswitch2.15 is now available in Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Fast Datapath for Red Hat Enterprise Linux 8 - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Security Fix(es): * openvswitch2.15: DPDK: Out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash (CVE-2021-3839) * openvswitch2.15: DPDK: Sending vhost-user-inflight type messages could lead to DoS (CVE-2022-0669) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Users of openvswitch2.15 are advised to upgrade to these updated packages, which fix these bugs. 5. Bugs fixed (https://bugzilla.redhat.com/): 2025882 - CVE-2021-3839 DPDK: out-of-bounds read/write in vhost_user_set_inflight_fd() may lead to crash 2055793 - CVE-2022-0669 dpdk: sending vhost-user-inflight type messages could lead to DoS 2070343 - Failed to read database with dns hostname address 2080271 - [22.D RHEL-8] Fast Datapath Release 6. Package List: Fast Datapath for Red Hat Enterprise Linux 8: Source: openvswitch2.15-2.15.0-99.el8fdp.src.rpm aarch64: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.aarch64.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.aarch64.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.aarch64.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.aarch64.rpm noarch: openvswitch2.15-test-2.15.0-99.el8fdp.noarch.rpm ppc64le: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.ppc64le.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.ppc64le.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.ppc64le.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.ppc64le.rpm s390x: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.s390x.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.s390x.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.s390x.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.s390x.rpm x86_64: network-scripts-openvswitch2.15-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-debuginfo-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-debugsource-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-devel-2.15.0-99.el8fdp.x86_64.rpm openvswitch2.15-ipsec-2.15.0-99.el8fdp.x86_64.rpm python3-openvswitch2.15-2.15.0-99.el8fdp.x86_64.rpm python3-openvswitch2.15-debuginfo-2.15.0-99.el8fdp.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3839 https://access.redhat.com/security/cve/CVE-2022-0669 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYpEx5NzjgjWX9erEAQilcQ/9E4LMCyo2/tSJR13aOP2BQO99IqKG770u 9Rp9+aGCp1QyurzrYGjn7WXwe0DBHTRNQVaHdJLHzmZAeSNZilXoAg620VzoKSu/ rhVtfy+EJU22H/OVkAUhExcEUIJRB0zQk6CadScdl25BUE/LNCPa2DJiTOMVi2yF G76OloY8FoI1nWVPKGetMMmI6LqOP3Bd+JwD2VG5t+krqmQSD4wKkVrcwS4TLjQm H9ZCRgg4D5G00CgYuEtetMf4A4C23n1Fd9oEdwEbPN2Q7ddSWJ1eNZ1q76p6oPtl sA7A6MXIdz3j05JjdnPRNKTJvXWnwtGYXx114UKWcSgJUYnsqCyd2auhPZSkP7iC 34z2FLzDOV7VeF2gnQTJj0h9iwpJOtcnzwC0X8w94yES5rxXKp5UHB8CiFNkUu6g lqlQKiF1JPmisJBfdlAFC1+Hs/mgJwosNq3JD5nbIaM6410YQk+TEZ331ssjVjFy Bs60J/v++KxAooPqnn0q3dbQsV1ne9pRdpiBWAzkX7mHp8ZRHscBi6zISv6CKDft 2b1CHllt/m35nUF0f6dRlJdbu/mKFixcJWiO3nqrD4TmYprl016VJ73bN30CEJIS GOdd7+rl8it4cuWDAzG7H2aTGnGSSwUr5lOkR9+hKNrO7Fel6n3PrdHS/igJMw7L 5WnVACaEc60= =WSAK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce
Trust: 2.25
AFFECTED PRODUCTS
| vendor: | dpdk | model: | data plane development kit | scope: | eq | version: | 22.03 | Trust: 1.0 |
| vendor: | dpdk | model: | data plane development kit | scope: | eq | version: | 19.11 | Trust: 1.0 |
| vendor: | dpdk | model: | data plane development kit | scope: | lt | version: | 22.03 | Trust: 1.0 |
| vendor: | openvswitch | model: | openvswitch | scope: | eq | version: | 2.13.0 | Trust: 1.0 |
| vendor: | dpdk | model: | data plane development kit | scope: | gte | version: | 20.02 | Trust: 1.0 |
| vendor: | openvswitch | model: | openvswitch | scope: | eq | version: | 2.15.0 | Trust: 1.0 |
| vendor: | redhat | model: | openshift container platform | scope: | eq | version: | 4.0 | Trust: 1.0 |
| vendor: | レッドハット | model: | red hat openshift container platform | scope: | - | version: | - | Trust: 0.8 |
| vendor: | dpdk | model: | data plane development kit | scope: | - | version: | - | Trust: 0.8 |
| vendor: | open vswitch | model: | open vswitch | scope: | - | version: | - | Trust: 0.8 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-400 | Trust: 1.0 |
| problemtype: | NVD-CWE-noinfo | Trust: 1.0 |
| problemtype: | Lack of information (CWE-noinfo) [NVD evaluation ] | Trust: 0.8 |
THREAT TYPE
local
Trust: 0.6
TYPE
resource management error
Trust: 0.6
PATCH
| title: | DPDK Remediation of resource management error vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=194046 | Trust: 0.6 |
| title: | Debian CVElist Bug Report Logs: dpdk: CVE-2021-3839 and CVE-2022-0669 | url: | https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=b8bc18397e85f273082ea70c4090f82d | Trust: 0.1 |
| title: | Ubuntu Security Notice: USN-5401-1: DPDK vulnerabilities | url: | https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5401-1 | Trust: 0.1 |
| title: | Debian Security Advisories: DSA-5130-1 dpdk -- security update | url: | https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=c1652914039a5559306521c55fe28d7e | Trust: 0.1 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2022-0669 | Trust: 3.9 |
| db: | PACKETSTORM | id: | 166960 | Trust: 0.8 |
| db: | PACKETSTORM | id: | 167299 | Trust: 0.8 |
| db: | JVNDB | id: | JVNDB-2022-016014 | Trust: 0.8 |
| db: | AUSCERT | id: | ESB-2022.3284 | Trust: 0.6 |
| db: | AUSCERT | id: | ESB-2022.2695 | Trust: 0.6 |
| db: | CS-HELP | id: | SB2022052515 | Trust: 0.6 |
| db: | CS-HELP | id: | SB2022053026 | Trust: 0.6 |
| db: | CNNVD | id: | CNNVD-202204-4638 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 167294 | Trust: 0.2 |
| db: | PACKETSTORM | id: | 167298 | Trust: 0.2 |
| db: | VULHUB | id: | VHN-415255 | Trust: 0.1 |
| db: | VULMON | id: | CVE-2022-0669 | Trust: 0.1 |
| db: | PACKETSTORM | id: | 169321 | Trust: 0.1 |
REFERENCES
| url: | https://access.redhat.com/security/cve/cve-2022-0669 | Trust: 3.4 |
| url: | https://bugs.dpdk.org/show_bug.cgi?id=922 | Trust: 2.5 |
| url: | https://bugzilla.redhat.com/show_bug.cgi?id=2055793 | Trust: 2.5 |
| url: | https://github.com/dpdk/dpdk/commit/af74f7db384ed149fe42b21dbd7975f8a54ef227 | Trust: 2.5 |
| url: | https://security-tracker.debian.org/tracker/cve-2022-0669 | Trust: 2.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2022-0669 | Trust: 1.3 |
| url: | https://www.cybersecurity-help.cz/vdb/sb2022052515 | Trust: 0.6 |
| url: | https://cxsecurity.com/cveshow/cve-2022-0669/ | Trust: 0.6 |
| url: | https://packetstormsecurity.com/files/167299/red-hat-security-advisory-2022-4786-01.html | Trust: 0.6 |
| url: | https://www.auscert.org.au/bulletins/esb-2022.3284 | Trust: 0.6 |
| url: | https://packetstormsecurity.com/files/166960/ubuntu-security-notice-usn-5401-1.html | Trust: 0.6 |
| url: | https://vigilance.fr/vulnerability/dpdk-overload-via-inflight-type-messages-38252 | Trust: 0.6 |
| url: | https://www.cybersecurity-help.cz/vdb/sb2022053026 | Trust: 0.6 |
| url: | https://www.auscert.org.au/bulletins/esb-2022.2695 | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2021-3839 | Trust: 0.5 |
| url: | https://listman.redhat.com/mailman/listinfo/rhsa-announce | Trust: 0.3 |
| url: | https://access.redhat.com/security/team/key/ | Trust: 0.3 |
| url: | https://access.redhat.com/articles/11258 | Trust: 0.3 |
| url: | https://access.redhat.com/security/cve/cve-2021-3839 | Trust: 0.3 |
| url: | https://access.redhat.com/security/team/contact/ | Trust: 0.3 |
| url: | https://access.redhat.com/security/updates/classification/#moderate | Trust: 0.3 |
| url: | https://bugzilla.redhat.com/): | Trust: 0.3 |
| url: | https://ubuntu.com/security/notices/usn-5401-1 | Trust: 0.2 |
| url: | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010641 | Trust: 0.1 |
| url: | https://www.debian.org/security/2022/dsa-5130 | Trust: 0.1 |
| url: | https://www.debian.org/security/faq | Trust: 0.1 |
| url: | https://security-tracker.debian.org/tracker/dpdk | Trust: 0.1 |
| url: | https://www.debian.org/security/ | Trust: 0.1 |
| url: | https://access.redhat.com/errata/rhsa-2022:4786 | Trust: 0.1 |
| url: | https://launchpad.net/ubuntu/+source/dpdk/21.11.1-0ubuntu0.3 | Trust: 0.1 |
| url: | https://launchpad.net/ubuntu/+source/dpdk/20.11.5-0ubuntu1 | Trust: 0.1 |
| url: | https://launchpad.net/ubuntu/+source/dpdk/19.11.12-0ubuntu0.20.04.1 | Trust: 0.1 |
| url: | https://access.redhat.com/errata/rhsa-2022:4787 | Trust: 0.1 |
| url: | https://access.redhat.com/errata/rhsa-2022:4788 | Trust: 0.1 |
CREDITS
Red Hat
Trust: 0.3
SOURCES
| db: | VULHUB | id: | VHN-415255 |
| db: | VULMON | id: | CVE-2022-0669 |
| db: | JVNDB | id: | JVNDB-2022-016014 |
| db: | PACKETSTORM | id: | 169321 |
| db: | PACKETSTORM | id: | 167299 |
| db: | PACKETSTORM | id: | 166960 |
| db: | PACKETSTORM | id: | 167294 |
| db: | PACKETSTORM | id: | 167298 |
| db: | CNNVD | id: | CNNVD-202204-4638 |
| db: | NVD | id: | CVE-2022-0669 |
LAST UPDATE DATE
2024-08-14T12:19:27.380000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-415255 | date: | 2022-09-01T00:00:00 |
| db: | JVNDB | id: | JVNDB-2022-016014 | date: | 2023-09-29T08:07:00 |
| db: | CNNVD | id: | CNNVD-202204-4638 | date: | 2022-09-02T00:00:00 |
| db: | NVD | id: | CVE-2022-0669 | date: | 2022-09-01T20:35:47.027 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-415255 | date: | 2022-08-29T00:00:00 |
| db: | JVNDB | id: | JVNDB-2022-016014 | date: | 2023-09-29T00:00:00 |
| db: | PACKETSTORM | id: | 169321 | date: | 2022-05-28T19:12:00 |
| db: | PACKETSTORM | id: | 167299 | date: | 2022-05-30T14:06:20 |
| db: | PACKETSTORM | id: | 166960 | date: | 2022-05-04T21:43:23 |
| db: | PACKETSTORM | id: | 167294 | date: | 2022-05-30T13:56:31 |
| db: | PACKETSTORM | id: | 167298 | date: | 2022-05-30T14:05:41 |
| db: | CNNVD | id: | CNNVD-202204-4638 | date: | 2022-04-29T00:00:00 |
| db: | NVD | id: | CVE-2022-0669 | date: | 2022-08-29T15:15:09.750 |