openEuler 20.03 LTS update for dpdk
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2020-14374 CVE-2020-14375 CVE-2020-14376 CVE-2020-14377 CVE-2020-14378 |
| CWE-ID | CWE-119 CWE-264 CWE-125 CWE-190 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system dpdk-tools Operating systems & Components / Operating system package or component dpdk-debuginfo Operating systems & Components / Operating system package or component dpdk-debugsource Operating systems & Components / Operating system package or component dpdk-devel Operating systems & Components / Operating system package or component dpdk-doc Operating systems & Components / Operating system package or component dpdk Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU47308
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14374
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the copy_data() function. A remote user on a guest OS can run a specially crafted program to trigger memory corruption vhost_crypto application and execute arbitrary code on the host system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
dpdk-tools: before 19.11-5
dpdk-debuginfo: before 19.11-5
dpdk-debugsource: before 19.11-5
dpdk-devel: before 19.11-5
dpdk-doc: before 19.11-5
dpdk: before 19.11-5
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS:*:*:*:*:*:*
- cpe:2.3:a:openeuler:dpdk-tools:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-doc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1126
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47309
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14375
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the host OS.
The vulnerability exists due to Virtio ring descriptors and the data they describe are in a region of
memory accessible by from both the virtual machine and the host. An attacker with access to the guest OS can change the contents of the memory after vhost_crypto has validated it and execute arbitrary code on the host OS.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
dpdk-tools: before 19.11-5
dpdk-debuginfo: before 19.11-5
dpdk-debugsource: before 19.11-5
dpdk-devel: before 19.11-5
dpdk-doc: before 19.11-5
dpdk: before 19.11-5
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS:*:*:*:*:*:*
- cpe:2.3:a:openeuler:dpdk-tools:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-doc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1126
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU47310
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14376
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when copying iv_data from the VM guest memory into host memory. A remote user on the guest OS can run a specially crafted program to trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
dpdk-tools: before 19.11-5
dpdk-debuginfo: before 19.11-5
dpdk-debugsource: before 19.11-5
dpdk-devel: before 19.11-5
dpdk-doc: before 19.11-5
dpdk: before 19.11-5
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS:*:*:*:*:*:*
- cpe:2.3:a:openeuler:dpdk-tools:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-doc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1126
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU47311
Risk: Medium
CVSSv4.0: 4.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14377
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote user on the guest OS can run a specially crafted program to trigger out-of-bounds read error and read contents of memory of the host OS.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
dpdk-tools: before 19.11-5
dpdk-debuginfo: before 19.11-5
dpdk-debugsource: before 19.11-5
dpdk-devel: before 19.11-5
dpdk-doc: before 19.11-5
dpdk: before 19.11-5
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS:*:*:*:*:*:*
- cpe:2.3:a:openeuler:dpdk-tools:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-doc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1126
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU47312
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14378
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in the move_desc() function. A remote user on the guest OS can consume large amounts of CPU cycles and prevent other VMs or network tasks from being serviced by the busy DPDK lcore for an extended period.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
dpdk-tools: before 19.11-5
dpdk-debuginfo: before 19.11-5
dpdk-debugsource: before 19.11-5
dpdk-devel: before 19.11-5
dpdk-doc: before 19.11-5
dpdk: before 19.11-5
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS:*:*:*:*:*:*
- cpe:2.3:a:openeuler:dpdk-tools:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk-doc:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:dpdk:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1126
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
