SB2017081805 - SUSE Linux update for openvswitch 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017081805

SB2017081805 - SUSE Linux update for openvswitch

Published: August 18, 2017

Security Bulletin ID SB2017081805
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2017-9263)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the Open vSwitch (OvS) component due to improper parsing of an OpenFlow role status message. A remote attacker with access to a malicious switch can send a specially crafted OpenFlow role status message, trigger a call to the abort() function for undefined role status reasons in the ofp_print_role_status_message function in lib/ofp-print.c and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

2) Buffer over-read (CVE-ID: CVE-2017-9265)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the Open vSwitch (OvS) component due to improper parsing of GroupMod OpenFlow messages. A remote attacker can send a specially crafted GroupMod OpenFlow message from the controller in lib/ofp-util.c in the ofputil_pull_ofp15_group_mod function, trigger buffer over-read and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References