{
  "threat_severity" : "Moderate",
  "public_date" : "2018-09-25T00:00:00Z",
  "bugzilla" : {
    "description" : "openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bundle()",
    "id" : "1632528",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1632528"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.9",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.", "An issue was discovered in Open vSwitch (OvS) 2.5.x through 2.5.5, 2.6.x through 2.6.3, 2.7.x through 2.7.6, 2.8.x through 2.8.4, and 2.9.x through 2.9.2 where the decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.\nA specially crafted flow update applied using the bundling feature of Open vSwitch could potentially cause a crash leading to a denial of service." ],
  "affected_release" : [ {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-05T00:00:00Z",
    "advisory" : "RHSA-2018:3500",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath",
    "package" : "openvswitch-0:2.9.0-70.el7fdp.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10.0 (Newton)",
    "release_date" : "2019-01-16T00:00:00Z",
    "advisory" : "RHSA-2019:0053",
    "cpe" : "cpe:/a:redhat:openstack:10::el7",
    "package" : "openvswitch-0:2.9.0-83.el7fdp.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)",
    "release_date" : "2019-01-16T00:00:00Z",
    "advisory" : "RHSA-2019:0081",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "openvswitch-0:2.9.0-83.el7fdp.1"
  }, {
    "product_name" : "Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-05T00:00:00Z",
    "advisory" : "RHSA-2018:3500",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "openvswitch-0:2.9.0-70.el7fdp.1"
  } ],
  "package_state" : [ {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch2.10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch2.10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.2",
    "fix_state" : "Not affected",
    "package_name" : "node",
    "cpe" : "cpe:/a:redhat:openshift:3.2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.3",
    "fix_state" : "Not affected",
    "package_name" : "node",
    "cpe" : "cpe:/a:redhat:openshift:3.3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "fix_state" : "Not affected",
    "package_name" : "node",
    "cpe" : "cpe:/a:redhat:openshift:3.4"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3.0",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/a:redhat:openshift:3.0"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 3.1",
    "fix_state" : "Not affected",
    "package_name" : "node",
    "cpe" : "cpe:/a:redhat:openshift:3.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 12 (Pike)",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:12"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:14"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty)",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:9"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-virtualization-host",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Will not fix",
    "package_name" : "rhvm-appliance",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-17206\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-17206" ],
  "name" : "CVE-2018-17206",
  "csaw" : false
}