{ "threat_severity" : "Important", "public_date" : "2021-02-10T00:00:00Z", "bugzilla" : { "description" : "openvswitch: limitation in the OVS packet parsing in userspace leads to DoS", "id" : "1908845", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1908845" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.", "A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability." ], "statement" : "Red Hat OpenStack Platform 13's openvswitch package will receive it's fixes from Fast Datapath.", "acknowledgement" : "Red Hat would like to thank Joakim Hindersson for reporting this issue.", "affected_release" : [ { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 7", "release_date" : "2021-03-15T00:00:00Z", "advisory" : "RHSA-2021:0834", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "package" : "openvswitch2.11-0:2.11.3-86.el7fdp", "impact" : "moderate" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 7", "release_date" : "2021-03-15T00:00:00Z", "advisory" : "RHSA-2021:0835", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "package" : "openvswitch2.13-0:2.13.0-81.el7fdp", "impact" : "moderate" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 7", "release_date" : "2021-05-20T00:00:00Z", "advisory" : "RHSA-2021:2077", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "package" : "openvswitch-0:2.9.9-1.el7fdp", "impact" : "moderate" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8", "release_date" : "2021-02-11T00:00:00Z", "advisory" : "RHSA-2021:0497", "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "package" : "openvswitch2.13-0:2.13.0-79.5.el8fdp", "impact" : "moderate" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8", "release_date" : "2021-03-15T00:00:00Z", "advisory" : "RHSA-2021:0837", "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "package" : "openvswitch2.11-0:2.11.3-83.el8fdp", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)", "release_date" : "2021-06-16T00:00:00Z", "advisory" : "RHSA-2021:2456", "cpe" : "cpe:/a:redhat:openstack:13::el7", "package" : "openvswitch2.11-0:2.11.3-86.el7fdp", "impact" : "moderate" }, { "product_name" : "Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2021-05-20T00:00:00Z", "advisory" : "RHSA-2021:2077", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "openvswitch-0:2.9.9-1.el7fdp", "impact" : "moderate" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2021-03-31T00:00:00Z", "advisory" : "RHSA-2021:1050", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "openvswitch2.11-0:2.11.3-86.el7fdp", "impact" : "moderate" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2021-03-31T00:00:00Z", "advisory" : "RHSA-2021:1050", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "ovn2.11-0:2.11.1-57.el7fdp", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Fast Datapath for RHEL 7", "fix_state" : "Out of support scope", "package_name" : "openvswitch2.10", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "impact" : "moderate" }, { "product_name" : "Fast Datapath for RHEL 7", "fix_state" : "Out of support scope", "package_name" : "openvswitch2.12", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "impact" : "moderate" }, { "product_name" : "Fast Datapath for RHEL 8", "fix_state" : "Out of support scope", "package_name" : "openvswitch2.12", "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "openvswitch2.13", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openvswitch2.15", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "openvswitch", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "openvswitch", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-35498\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-35498\nhttps://www.openwall.com/lists/oss-security/2021/02/10/4" ], "name" : "CVE-2020-35498", "csaw" : false }