{
  "threat_severity" : "Moderate",
  "public_date" : "2023-09-26T00:00:00Z",
  "bugzilla" : {
    "description" : "openvswitch: openvswitch don't match packets on nd_target field",
    "id" : "2006347",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2006347"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-345",
  "details" : [ "A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.", "A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses." ],
  "statement" : "Red Hat Enterprise Linux 7 provides the `openvswitch` package only through the unsupported Optional repository. Customers are advised to install Open vSwitch (OVS) from RHEL Fast Datapath instead.\nRed Hat OpenStack Platform 13/16 deployments are not affected because they use openvswitch directly from the Fast Datapath channel. A rhosp-openvswitch update will therefore not be provided at this time. Any updates will be distributed through that channel.",
  "acknowledgement" : "This issue was discovered by Alex Katz (Red Hat) and Slawomir Kaplonski (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8",
    "release_date" : "2024-03-07T00:00:00Z",
    "advisory" : "RHSA-2024:1234",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath",
    "package" : "openvswitch2.17-0:2.17.0-148.el8fdp"
  }, {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8",
    "release_date" : "2024-03-07T00:00:00Z",
    "advisory" : "RHSA-2024:1235",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath",
    "package" : "openvswitch3.1-0:3.1.0-96.el8fdp"
  }, {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-07T00:00:00Z",
    "advisory" : "RHBA-2024:1226",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9::fastdatapath",
    "package" : "openvswitch2.17-0:2.17.0-131.el9fdp"
  }, {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-07T00:00:00Z",
    "advisory" : "RHBA-2024:1228",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9::fastdatapath",
    "package" : "openvswitch3.2-0:3.2.0-56.el9fdp"
  }, {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-07T00:00:00Z",
    "advisory" : "RHSA-2024:1227",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9::fastdatapath",
    "package" : "openvswitch3.1-0:3.1.0-88.el9fdp"
  } ],
  "package_state" : [ {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Affected",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.13",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.15",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.13",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.15",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.16",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 9",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch3.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9::fastdatapath"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch-ovn-kubernetes",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-virtualization-host",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5366\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5366\nhttps://mail.openvswitch.org/pipermail/ovs-announce/2024-February/000342.html" ],
  "name" : "CVE-2023-5366",
  "csaw" : false
}