Vulnerability CVE-2017-9265

Vulnerability Name:

CVE-2017-9265 (CCN-127189)

Assigned:

2017-05-26

Published:

2017-05-26

Updated:

2019-10-03

Summary:

In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing the group mod OpenFlow message sent from the controller in `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-125

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-9265

Source: CCN
Type: IBM Security Bulletin T1026032 (PowerKVM)
Vulnerabilities in OpenvSwitch affect PowerKVM

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2418

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2553

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2648

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2665

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2692

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2698

Source: REDHAT
Type: UNKNOWN
RHSA-2017:2727

Source: XF
Type: UNKNOWN
openvswitch-cve20179265-bo(127189)

Source: CCN
Type: Open vSwitch Web site
[ovs-dev] [PATCH] ofp-util: Check length of buckets in ofputil_pull_ofp15_group_mod()

Source: CONFIRM
Type: Mailing List, Patch, Vendor Advisory
https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-9265

Vulnerable Configuration:

Configuration 1:

cpe:/a:openvswitch:openvswitch:2.7.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:openvswitch:openvswitch:2.7.0:*:*:*:*:*:*:*

AND

cpe:/a:ibm:powerkvm:3.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20179265	V	CVE-2017-9265	2022-05-22
oval:org.opensuse.security:def:42360	P	Security update for xen (Important)	2022-03-23
oval:org.opensuse.security:def:42208	P	Security update for vim (Important)	2022-03-04
oval:org.opensuse.security:def:61101	P	Security update for openexr (Moderate)	2021-12-01
oval:org.opensuse.security:def:20539	P	Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP5) (Important)	2021-11-17
oval:org.opensuse.security:def:38320	P	Security update for strongswan (Important)	2021-10-19
oval:org.opensuse.security:def:38332	P	Security update for transfig (Important)	2021-10-06
oval:org.opensuse.security:def:60365	P	Security update for ghostscript (Critical)	2021-09-21
oval:org.opensuse.security:def:58820	P	Security update for xen (Important)	2021-09-06
oval:org.opensuse.security:def:42116	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:14819	P	MozillaFirefox-68.1.0-109.92.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14863	P	cups-filters-1.0.58-19.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14984	P	libdjvulibre21-3.5.25.3-5.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14664	P	libsnmp30-32bit-5.7.3-6.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15031	P	libmspack0-0.4-14.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14672	P	libsystemd0-228-150.49.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15058	P	libproxy1-0.4.13-16.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14768	P	socat-1.7.2.4-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14839	P	automake-1.13.4-6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14957	P	libXfont1-1.5.1-11.3.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:15042	P	libopenssl1_1-1.1.1c-2.17.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14698	P	libykcs11-1-1.5.0-3.16 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:39072	P	Security update for libcares2 (Important)	2021-08-10
oval:org.opensuse.security:def:42105	P	Security update for curl (Moderate)	2021-07-21
oval:org.opensuse.security:def:42104	P	Security update for the Linux Kernel (Important)	2021-07-21
oval:org.opensuse.security:def:20453	P	Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP5) (Important)	2021-06-18
oval:org.opensuse.security:def:58770	P	Security update for java-1_8_0-openjdk (Moderate)	2021-06-15
oval:org.opensuse.security:def:55205	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:61131	P	binutils-2.29.1-4.46 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42640	P	libzip1-0.9-1.24.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15719	P	apache2-devel-2.4.16-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42538	P	fvwm2-2.5.26-1.25 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:15696	P	ruby2.1-rubygem-bundler-1.7.3-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:56028	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:55183	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:58737	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:57441	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:55182	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:20418	P	Security update for the Linux Kernel (Important)	2021-04-15
oval:org.opensuse.security:def:20410	P	Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP5) (Important)	2021-04-07
oval:org.opensuse.security:def:59612	P	Security update for tomcat (Important)	2021-03-30
oval:org.opensuse.security:def:55862	P	Security update for python (Moderate)	2021-03-16
oval:org.opensuse.security:def:59866	P	Security update for glib2 (Important)	2021-03-16
oval:org.opensuse.security:def:43695	P	Security update for openldap2 (Important)	2021-03-04
oval:org.opensuse.security:def:44376	P	Security update for MozillaFirefox (Important)	2021-03-01
oval:org.opensuse.security:def:38656	P	Security update for MozillaFirefox (Important)	2021-03-01
oval:org.opensuse.security:def:44325	P	Security update for ImageMagick (Moderate)	2021-02-23
oval:org.opensuse.security:def:58845	P	Security update for python3 (Important)	2021-02-08
oval:org.opensuse.security:def:57964	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:43740	P	Security update for openssl1 (Important)	2020-12-09
oval:org.opensuse.security:def:42469	P	xorg-x11-libs-32bit-7.4-8.26.32.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:21737	P	Security update for krb5 (Important)	2020-12-01
oval:org.opensuse.security:def:57855	P	libsrtp1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39023	P	lhasa on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22313	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:44200	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:43006	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:21883	P	Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:58134	P	Security update for xrdp (Important)	2020-12-01
oval:org.opensuse.security:def:56587	P	Security update for compat-openssl098 (Moderate)	2020-12-01
oval:org.opensuse.security:def:39864	P	Security update for openvswitch (Moderate)	2020-12-01
oval:org.opensuse.security:def:60884	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:21987	P	Security update for xrdp (Important)	2020-12-01
oval:org.opensuse.security:def:58530	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:56706	P	Security update for yaml-cpp (Moderate)	2020-12-01
oval:org.opensuse.security:def:59430	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:61008	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:57274	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:55583	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:22165	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:20884	P	Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:39111	P	libnewt0_52 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:21546	P	Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60051	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:42880	P	Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:39184	P	libdirectfb-1_7-1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:43424	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:20597	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:56313	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:44405	P	Security update for glib2 (Important)	2020-12-01
oval:org.opensuse.security:def:38553	P	bash on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:58699	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:43539	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:20669	P	Security update for dpkg (Moderate)	2020-12-01
oval:org.opensuse.security:def:45100	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:57297	P	Security update for augeas	2020-12-01
oval:org.opensuse.security:def:38714	P	libpoppler-glib8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60786	P	Security update for libqt5-qtbase (Important)	2020-12-01
oval:org.opensuse.security:def:43819	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:20814	P	Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:59429	P	Security update for qemu (Moderate)	2020-12-01
oval:org.opensuse.security:def:57680	P	chrony on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38964	P	libgadu3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22283	P	Security update for libseccomp (Moderate)	2020-12-01
oval:org.opensuse.security:def:44011	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:42977	P	Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:21572	P	Security update for openvswitch (Moderate)	2020-12-01
oval:org.opensuse.security:def:21784	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:56513	P	Security update for libvorbis (Moderate)	2020-12-01
oval:org.opensuse.security:def:22951	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:44270	P	Security update for python-cffi, python-cryptography (Moderate)	2020-12-01
oval:org.opensuse.security:def:43057	P	Security update for the Linux Kernel (Live Patch 25 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:21947	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:58420	P	Security update for X Window System client libraries (Moderate)	2020-12-01
oval:org.opensuse.security:def:56625	P	Security update for libssh (Important)	2020-12-01
oval:org.opensuse.security:def:43423	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:60970	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:45148	P	Security update for openvswitch (Important)	2020-12-01
oval:org.opensuse.security:def:55345	P	patch on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22040	P	Security update for glibc (Moderate)	2020-12-01
oval:org.opensuse.security:def:20872	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:59452	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:55756	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:22204	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:20908	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:38321	P	liblua5_2-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:42816	P	Security update for libpng16 (Moderate)	2020-12-01
oval:org.opensuse.security:def:39139	P	raptor on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:21729	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:22980	P	Security update for openvswitch (Important)	2020-12-01
oval:org.opensuse.security:def:38416	P	memcached on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60172	P	Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:58623	P	Security update for jasper (Important)	2020-12-01
oval:org.opensuse.security:def:39822	P	Security update for pam (Moderate)	2020-12-01
oval:org.opensuse.security:def:43435	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:20631	P	Security update for util-linux (Important)	2020-12-01
oval:org.opensuse.security:def:56421	P	Security update for libical (Moderate)	2020-12-01
oval:org.opensuse.security:def:44462	P	Security update for LibVNCServer (Critical)	2020-12-01
oval:org.opensuse.security:def:57275	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:60666	P	Security update for strongswan (Important)	2020-12-01
oval:org.opensuse.security:def:43704	P	Security update for the Linux Kernel (Live Patch 20 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:20781	P	Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:38804	P	sudo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:22271	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:61051	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:43894	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:42932	P	Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:81555	P	Security update for openvswitch (Moderate)	2018-01-31
oval:org.opensuse.security:def:84776	P	Security update for openvswitch (Important)	2017-08-18
oval:com.ubuntu.trusty:def:20179265000	V	CVE-2017-9265 on Ubuntu 14.04 LTS (trusty) - medium.	2017-05-29
oval:com.ubuntu.xenial:def:20179265000	V	CVE-2017-9265 on Ubuntu 16.04 LTS (xenial) - medium.	2017-05-29
oval:com.ubuntu.xenial:def:201792650000000	V	CVE-2017-9265 on Ubuntu 16.04 LTS (xenial) - medium.	2017-05-29

BACK