Security update for openvswitch SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2259-1 Final 1 1 2023-05-22T07:43:46Z current 2023-05-22T07:43:46Z 2023-05-22T07:43:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for openvswitch This update for openvswitch fixes the following issues: - CVE-2022-4338: Fixed Integer Underflow in Organization Specific TLV (bsc#1206580). - CVE-2022-4337: Fixed Out-of-Bounds Read in Organization Specific TLV (bsc#1206581). - CVE-2022-32166: Fixed out of bounds read in minimask_equal() (bsc#1203865). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2259,SUSE-SLE-SERVER-12-SP2-BCL-2023-2259 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232259-1/ Link for SUSE-SU-2023:2259-1 https://lists.suse.com/pipermail/sle-security-updates/2023-May/014933.html E-Mail link for SUSE-SU-2023:2259-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1203865 SUSE Bug 1203865 https://bugzilla.suse.com/1206580 SUSE Bug 1206580 https://bugzilla.suse.com/1206581 SUSE Bug 1206581 https://www.suse.com/security/cve/CVE-2022-32166/ SUSE CVE CVE-2022-32166 page https://www.suse.com/security/cve/CVE-2022-4337/ SUSE CVE CVE-2022-4337 page https://www.suse.com/security/cve/CVE-2022-4338/ SUSE CVE CVE-2022-4338 page SUSE Linux Enterprise Server 12 SP2-BCL openvswitch-2.5.11-25.34.1 openvswitch-devel-2.5.11-25.34.1 openvswitch-dpdk-2.5.11-25.34.1 openvswitch-dpdk-devel-2.5.11-25.34.1 openvswitch-dpdk-ovn-2.5.11-25.34.1 openvswitch-dpdk-pki-2.5.11-25.34.1 openvswitch-dpdk-switch-2.5.11-25.34.1 openvswitch-dpdk-test-2.5.11-25.34.1 openvswitch-dpdk-vtep-2.5.11-25.34.1 openvswitch-ovn-2.5.11-25.34.1 openvswitch-pki-2.5.11-25.34.1 openvswitch-switch-2.5.11-25.34.1 openvswitch-test-2.5.11-25.34.1 openvswitch-vtep-2.5.11-25.34.1 python-openvswitch-2.5.11-25.34.1 python-openvswitch-test-2.5.11-25.34.1 openvswitch-2.5.11-25.34.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL openvswitch-dpdk-2.5.11-25.34.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL openvswitch-dpdk-switch-2.5.11-25.34.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL openvswitch-switch-2.5.11-25.34.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of “minimasks” function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification, and possible remote execution. CVE-2022-32166 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-dpdk-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-dpdk-switch-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-switch-2.5.11-25.34.1 moderate 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232259-1/ https://www.suse.com/security/cve/CVE-2022-32166.html CVE-2022-32166 https://bugzilla.suse.com/1203865 SUSE Bug 1203865 An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch. CVE-2022-4337 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-dpdk-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-dpdk-switch-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-switch-2.5.11-25.34.1 important 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232259-1/ https://www.suse.com/security/cve/CVE-2022-4337.html CVE-2022-4337 https://bugzilla.suse.com/1206581 SUSE Bug 1206581 An integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch. CVE-2022-4338 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-dpdk-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-dpdk-switch-2.5.11-25.34.1 SUSE Linux Enterprise Server 12 SP2-BCL:openvswitch-switch-2.5.11-25.34.1 important 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232259-1/ https://www.suse.com/security/cve/CVE-2022-4338.html CVE-2022-4338 https://bugzilla.suse.com/1206580 SUSE Bug 1206580