#VU8432 Improper input validation in Red Hat OpenStack - CVE-2017-9263


Vulnerability identifier: #VU8432

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-9263

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Red Hat OpenStack
Server applications / Other server solutions

Vendor: Red Hat Inc.

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the Open vSwitch (OvS) component due to improper parsing of an OpenFlow role status message. A remote attacker with access to a malicious switch can send a specially crafted OpenFlow role status message, trigger a call to the abort() function for undefined role status reasons in the ofp_print_role_status_message function in lib/ofp-print.c and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Red Hat OpenStack: 7.0

External links
https://access.redhat.com/errata/RHSA-2017:2698

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for Open vSwitch
Multiple vulnerabilities in Red Hat OpenStack
Multiple vulnerabilities in Red Hat OpenStack 11.0 packages
Red Hat update for openvswitch
Red Hat Enterprise Linux OpenStack Platform 6 update for openvswitch
Multiple vulnerabilities in Red Hat OpenStack 10.0 packages
Red Hat update for openvswitch
SUSE Linux update for openvswitch
Fast Datapath for Red Hat Enterprise Linux 7 update for openvswitch
Fedora 26 update for openvswitch