{ "threat_severity" : "Moderate", "public_date" : "2021-02-23T00:00:00Z", "bugzilla" : { "description" : "openvswitch: use-after-free in decode_NXAST_RAW_ENCAP during the decoding of a RAW_ENCAP action", "id" : "1984473", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1984473" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action.", "Open vSwitch (aka openvswitch) has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action." ], "statement" : "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "affected_release" : [ { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 7", "release_date" : "2021-04-12T00:00:00Z", "advisory" : "RHBA-2021:1166", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "package" : "openvswitch2.11-0:2.11.3-89.el7fdp" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 7", "release_date" : "2022-11-21T00:00:00Z", "advisory" : "RHBA-2022:8558", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath", "package" : "openvswitch2.13-0:2.13.0-102.el7fdp" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8", "release_date" : "2021-04-12T00:00:00Z", "advisory" : "RHBA-2021:1163", "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "package" : "openvswitch2.11-0:2.11.3-86.el8fdp" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8", "release_date" : "2021-06-21T00:00:00Z", "advisory" : "RHBA-2021:2508", "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "package" : "openvswitch2.13-0:2.13.0-114.el8fdp" }, { "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8", "release_date" : "2021-06-21T00:00:00Z", "advisory" : "RHBA-2021:2509", "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath", "package" : "openvswitch2.15-0:2.15.0-24.el8fdp" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2021-10-18T00:00:00Z", "advisory" : "RHSA-2021:3758", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "openvswitch2.15-0:2.15.0-28.el8fdp" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2021-10-20T00:00:00Z", "advisory" : "RHSA-2021:3942", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "openvswitch2.11-0:2.11.3-89.el7fdp" } ], "package_state" : [ { "product_name" : "Fast Datapath for RHEL 7", "fix_state" : "Will not fix", "package_name" : "openvswitch", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath" }, { "product_name" : "Fast Datapath for RHEL 7", "fix_state" : "Not affected", "package_name" : "openvswitch2.10", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath" }, { "product_name" : "Fast Datapath for RHEL 7", "fix_state" : "Out of support scope", "package_name" : "openvswitch2.12", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath" }, { "product_name" : "Fast Datapath for RHEL 7", "fix_state" : "Will not fix", "package_name" : "openvswitch2.15", "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath" }, { "product_name" : "Fast Datapath for RHEL 8", "fix_state" : "Out of support scope", "package_name" : "openvswitch2.12", "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "lldpd", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "lldpd", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openvswitch2.13", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "openvswitch", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "openvswitch2.11", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "rhosp-openvswitch", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 16.1", "fix_state" : "Not affected", "package_name" : "rhosp-openvswitch", "cpe" : "cpe:/a:redhat:openstack:16.1" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Not affected", "package_name" : "rhosp-openvswitch", "cpe" : "cpe:/a:redhat:openstack:16.2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-36980\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-36980\nhttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851" ], "name" : "CVE-2021-36980", "csaw" : false }