** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openvswitch in Ubuntu.
https://bugs.launchpad.net/bugs/1910608
Title:
openvswitch embedded code copy of lldpd is vulnerable to CVE-2015-8011
Status in openvswitch package in Ubuntu:
New
Bug description:
This is a non-public announce for downstream stakeholders.
Public announce will take place on 13-Jan-2021 along with release
of new upstream stable versions listed below.
---
For release 13-Jan-2021
Description
===========
Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks in which crafted LLDP packets could overflow the
buffer reserved for management address information in an internal
OVS data structure. Triggering the vulnerability requires LLDP
processing to be enabled for a specific port. Open vSwitch
versions before 2.5.x are not vulnerable.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
previously assigned the identifier CVE-2015-8011 to this issue for
the `lldpd` project, and is appropriate here since Open vSwitch uses
the same `lldpd` code.
Mitigation
==========
For any version of Open vSwitch, preventing LLDP packets from
reaching Open vSwitch mitigates the vulnerability. We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:
- Open vSwitch obtains packets before the iptables host firewall,
so ebtables on the Open vSwitch host cannot ordinarily block the
vulnerability.
- If Open vSwitch is configured to receive and transmit LLDP
messages, the required functionality will need to be disabled
potentially disrupting the network.
We have found that Open vSwitch is subject to a remote code execution
exploit when LLDP processing is enabled on an interface. By default,
interfaces are not configured to process LLDP messages.
Fix
===
Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are
applied to the various appropriate branches, and the original patch is
located at:
https://mail.openvswitch.org/pipermail/ovs-dev/2020-November/377394.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1910608/+subscriptions