Vulnerability CVE-2017-14970

Vulnerability Name:

CVE-2017-14970 (CCN-132865)

Assigned:

2017-09-21

Published:

2017-09-21

Updated:

2019-10-03

Summary:

In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple memory leaks while parsing malformed OpenFlow group mod messages.
Note: the vendor disputes the relevance of this report, stating "it can only be triggered by an OpenFlow controller, but OpenFlow controllers have much more direct and powerful ways to force Open vSwitch to allocate memory, such as by inserting flows into the flow table."

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-772

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2017-14970

Source: XF
Type: UNKNOWN
openvswitch-cve201714970-dos(132865)

Source: CCN
Type: Open vSwitch Web site
[ovs-dev] [PATCH v4 2/3] ofp-util: Fix memory leaks on error cases in ofputil_decode_group_mod().

Source: CONFIRM
Type: Mailing List, Patch, Vendor Advisory
https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html

Source: CONFIRM
Type: Mailing List, Patch, Vendor Advisory
https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:openvswitch:openvswitch:*:*:*:*:*:*:*:* (Version <= 2.8.0)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201714970	V	CVE-2017-14970	2022-05-22
oval:org.opensuse.security:def:42360	P	Security update for xen (Important)	2022-03-23
oval:org.opensuse.security:def:42208	P	Security update for vim (Important)	2022-03-04
oval:org.opensuse.security:def:60435	P	Security update for glib-networking (Important)	2021-12-13
oval:org.opensuse.security:def:20539	P	Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP5) (Important)	2021-11-17
oval:org.opensuse.security:def:38320	P	Security update for strongswan (Important)	2021-10-19
oval:org.opensuse.security:def:38332	P	Security update for transfig (Important)	2021-10-06
oval:org.opensuse.security:def:44532	P	Security update for curl (Moderate)	2021-09-23
oval:org.opensuse.security:def:58820	P	Security update for xen (Important)	2021-09-06
oval:org.opensuse.security:def:42116	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:43493	P	Security update for kvm (Moderate)	2021-08-23
oval:org.opensuse.security:def:59522	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:14984	P	libdjvulibre21-3.5.25.3-5.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14664	P	libsnmp30-32bit-5.7.3-6.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15031	P	libmspack0-0.4-14.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14672	P	libsystemd0-228-150.49.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15058	P	libproxy1-0.4.13-16.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14768	P	socat-1.7.2.4-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14839	P	automake-1.13.4-6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14957	P	libXfont1-1.5.1-11.3.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15042	P	libopenssl1_1-1.1.1c-2.17.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14698	P	libykcs11-1-1.5.0-3.16 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14819	P	MozillaFirefox-68.1.0-109.92.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14863	P	cups-filters-1.0.58-19.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:39072	P	Security update for libcares2 (Important)	2021-08-10
oval:org.opensuse.security:def:42104	P	Security update for the Linux Kernel (Important)	2021-07-21
oval:org.opensuse.security:def:42105	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:59500	P	Security update for libnettle (Important)	2021-06-23
oval:org.opensuse.security:def:20453	P	Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP5) (Important)	2021-06-18
oval:org.opensuse.security:def:59499	P	Security update for xterm (Important)	2021-06-18
oval:org.opensuse.security:def:58770	P	Security update for java-1_8_0-openjdk (Moderate)	2021-06-15
oval:org.opensuse.security:def:55205	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:61201	P	libQt5Concurrent-devel-5.9.4-6.48 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42640	P	libzip1-0.9-1.24.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15719	P	apache2-devel-2.4.16-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42538	P	fvwm2-2.5.26-1.25 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61171	P	glib2-devel-2.54.3-2.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61121	P	apparmor-abstractions-2.12-5.9 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15696	P	ruby2.1-rubygem-bundler-1.7.3-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:56028	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:55183	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:58737	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:57441	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:55182	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:60242	P	Security update for libnettle (Important)	2021-04-28
oval:org.opensuse.security:def:20418	P	Security update for the Linux Kernel (Important)	2021-04-15
oval:org.opensuse.security:def:20410	P	Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP5) (Important)	2021-04-07
oval:org.opensuse.security:def:55862	P	Security update for python (Moderate)	2021-03-16
oval:org.opensuse.security:def:43695	P	Security update for openldap2 (Important)	2021-03-04
oval:org.opensuse.security:def:38656	P	Security update for MozillaFirefox (Important)	2021-03-01
oval:org.opensuse.security:def:58845	P	Security update for python3 (Important)	2021-02-08
oval:org.opensuse.security:def:57964	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:61078	P	Security update for ImageMagick (Important)	2021-01-22
oval:org.opensuse.security:def:43740	P	Security update for openssl1 (Important)	2020-12-09
oval:org.opensuse.security:def:42469	P	xorg-x11-libs-32bit-7.4-8.26.32.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:57274	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:55583	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:22235	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:20884	P	Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:59682	P	Security update for python3 (Important)	2020-12-01
oval:org.opensuse.security:def:39111	P	libnewt0_52 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:44395	P	Security update for dbus-1 (Important)	2020-12-01
oval:org.opensuse.security:def:21546	P	Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60121	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:42880	P	Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:39184	P	libdirectfb-1_7-1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:43494	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:20597	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:56313	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:44475	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:38553	P	bash on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:58699	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:43609	P	Security update for openvpn (Important)	2020-12-01
oval:org.opensuse.security:def:20669	P	Security update for dpkg (Moderate)	2020-12-01
oval:org.opensuse.security:def:45170	P	Security update for libzip (Moderate)	2020-12-01
oval:org.opensuse.security:def:57297	P	Security update for augeas	2020-12-01
oval:org.opensuse.security:def:38714	P	libpoppler-glib8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60856	P	Security update for mariadb (Low)	2020-12-01
oval:org.opensuse.security:def:43889	P	Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:20814	P	Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:57680	P	chrony on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38964	P	libgadu3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22353	P	Security update for vim (Moderate)	2020-12-01
oval:org.opensuse.security:def:44081	P	Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:42977	P	Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:21572	P	Security update for openvswitch (Moderate)	2020-12-01
oval:org.opensuse.security:def:21854	P	Security update for gdb (Moderate)	2020-12-01
oval:org.opensuse.security:def:56513	P	Security update for libvorbis (Moderate)	2020-12-01
oval:org.opensuse.security:def:23021	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:44340	P	Security update for systemd (Important)	2020-12-01
oval:org.opensuse.security:def:43057	P	Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:22017	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:58420	P	Security update for X Window System client libraries (Moderate)	2020-12-01
oval:org.opensuse.security:def:56625	P	Security update for libssh (Important)	2020-12-01
oval:org.opensuse.security:def:61040	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:45218	P	Security update for openvswitch (Moderate)	2020-12-01
oval:org.opensuse.security:def:55345	P	patch on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22110	P	Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:20872	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:55756	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:22274	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:20908	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:38321	P	liblua5_2-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59936	P	Security update for postgresql96 (Important)	2020-12-01
oval:org.opensuse.security:def:42816	P	Security update for libpng16 (Moderate)	2020-12-01
oval:org.opensuse.security:def:39139	P	raptor on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:21799	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:44446	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:23050	P	Security update for openvswitch (Moderate)	2020-12-01
oval:org.opensuse.security:def:38416	P	memcached on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:58623	P	Security update for jasper (Important)	2020-12-01
oval:org.opensuse.security:def:39822	P	Security update for pam (Moderate)	2020-12-01
oval:org.opensuse.security:def:43505	P	Security update for evince (Important)	2020-12-01
oval:org.opensuse.security:def:20631	P	Security update for util-linux (Important)	2020-12-01
oval:org.opensuse.security:def:56421	P	Security update for libical (Moderate)	2020-12-01
oval:org.opensuse.security:def:57275	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:60736	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:43774	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:20781	P	Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:38804	P	sudo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22341	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:43964	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:42932	P	Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:21807	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:57855	P	libsrtp1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39023	P	lhasa on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22383	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:44270	P	Security update for python-cffi, python-cryptography (Moderate)	2020-12-01
oval:org.opensuse.security:def:43006	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:21953	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:58134	P	Security update for xrdp (Important)	2020-12-01
oval:org.opensuse.security:def:56587	P	Security update for compat-openssl098 (Moderate)	2020-12-01
oval:org.opensuse.security:def:39864	P	Security update for openvswitch (Moderate)	2020-12-01
oval:org.opensuse.security:def:60954	P	Security update for apache2 (Important)	2020-12-01
oval:org.opensuse.security:def:22057	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:58530	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:56706	P	Security update for yaml-cpp (Moderate)	2020-12-01
oval:org.opensuse.security:def:81555	P	Security update for openvswitch (Moderate)	2018-01-31
oval:org.opensuse.security:def:84846	P	Security update for openvswitch (Moderate)	2017-12-07
oval:com.ubuntu.bionic:def:2017149700000000	V	CVE-2017-14970 on Ubuntu 18.04 LTS (bionic) - low.	2017-10-02
oval:com.ubuntu.xenial:def:2017149700000000	V	CVE-2017-14970 on Ubuntu 16.04 LTS (xenial) - low.	2017-10-02
oval:com.ubuntu.artful:def:201714970000	V	CVE-2017-14970 on Ubuntu 17.10 (artful) - low.	2017-10-01
oval:com.ubuntu.bionic:def:201714970000	V	CVE-2017-14970 on Ubuntu 18.04 LTS (bionic) - low.	2017-10-01
oval:com.ubuntu.trusty:def:201714970000	V	CVE-2017-14970 on Ubuntu 14.04 LTS (trusty) - low.	2017-10-01
oval:com.ubuntu.xenial:def:201714970000	V	CVE-2017-14970 on Ubuntu 16.04 LTS (xenial) - low.	2017-10-01

BACK