Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

Ubuntu 23.10, 22.04, 20.04 USN-6690-1: Open vSwitch Denial Of Service

ubuntu
Calendar Grey March 12, 2024
Dist Ubuntu Esm H88
A number of security flaws addressed in Open vSwitch impacting numerous Ubuntu versions. Prompt updates are essential for safeguarding.
Several security issues were fixed in Open vSwitch.

Summary

Several security issues were fixed in Open vSwitch.

Software Description:

- openvswitch: Ethernet virtual switch

Details:

Timothy Redaelli and Haresh Khandelwal discovered that Open vSwitch

incorrectly handled certain crafted Geneve packets when hardware offloading

via the netlink path is enabled. A remote attacker could possibly use this

issue to cause Open vSwitch to crash, leading to a denial of service.

(CVE-2023-3966)

It was discovered that Open vSwitch incorrectly handled certain ICMPv6

Neighbor Advertisement packets. A remote attacker could possibly use this

issue to redirect traffic to arbitrary IP addresses. (CVE-2023-5366)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
   openvswitch-common              3.2.2-0ubuntu0.23.10.1
   python3-openvswitch             3.2.2-0ubuntu0.23.10.1

Ubuntu 22.04 LTS:
   openvswitch-common              2.17.9-0ubuntu0.22.04.1
   python3-openvswitch             2.17.9-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:
   openvswitch-common              2.13.8-0ubuntu1.4
   python3-openvswitch             2.13.8-0ubuntu1.4

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

https://ubuntu.com/security/notices/USN-6690-1

CVE-2023-3966, CVE-2023-5366

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-6690-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.