CVE-2023-1668
First published: Tue Oct 25 2022(Updated: )
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openvswitch | <=2.15.0+ds1-2<=3.1.0-1 | 3.1.0-2 2.15.0+ds1-2+deb11u4 |
| Cloudbase Open Vswitch | >=1.5.0<2.13.11 | |
| Cloudbase Open Vswitch | >=2.14.0<2.14.9 | |
| Cloudbase Open Vswitch | >=2.15.0<2.15.8 | |
| Cloudbase Open Vswitch | >=2.16.0<2.16.7 | |
| Cloudbase Open Vswitch | >=2.17.0<2.17.6 | |
| Cloudbase Open Vswitch | >=3.0.0<3.0.4 | |
| Cloudbase Open Vswitch | =3.1.0 | |
| Debian Debian Linux | =11.0 | |
| Redhat Openshift Container Platform | =4.0 | |
| Redhat Openstack Platform | =16.1 | |
| Redhat Openstack Platform | =16.2 | |
| Redhat Openstack Platform | =17.0 | |
| Redhat Virtualization | =4.0 | |
| Redhat Fast Datapath | ||
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| debian/openvswitch | <=2.10.7+ds1-0+deb10u1 | 2.10.7+ds1-0+deb10u4 2.15.0+ds1-2+deb11u4 3.1.0-2 3.2.2~git20231029-2 |
| All of | ||
| Any of | ||
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Fast Datapath | ||
| redhat/ovs | <3.1.1 | 3.1.1 |
| redhat/ovs | <3.0.4 | 3.0.4 |
| redhat/ovs | <2.17.6 | 2.17.6 |
| redhat/ovs | <2.16.7 | 2.16.7 |
| redhat/ovs | <2.15.8 | 2.15.8 |
| redhat/ovs | <2.14.9 | 2.14.9 |
| redhat/ovs | <2.13.11 | 2.13.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2023-1668
- https://www.cve.org/CVERecord?id=CVE-2023-1668
- https://www.openwall.com/lists/oss-security/2023/04/06/1
- https://salsa.debian.org/openstack-team/third-party/openvswitch/-/commit/6e7cc9dcb5c5303c171847398938155a50d06907
- https://bugs.debian.org/1034042
- https://salsa.debian.org/openstack-team/third-party/openvswitch/-/commit/345f17c6b265e9692640ad98b3b1571fc2a2c6db
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034042
- https://bugzilla.redhat.com/show_bug.cgi?id=2137666
- https://www.debian.org/security/2023/dsa-5387
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2GUNS3WSJG4TUDKZ5L7FXGJMVOD6EJZ/
- https://lists.debian.org/debian-lts-announce/2023/05/msg00000.html
- https://security.gentoo.org/glsa/202311-16
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2GUNS3WSJG4TUDKZ5L7FXGJMVOD6EJZ/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2186245
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2186246
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2186247
- https://access.redhat.com/errata/RHSA-2023:1766
- https://access.redhat.com/errata/RHSA-2023:1769
- https://access.redhat.com/errata/RHSA-2023:1765
- https://access.redhat.com/errata/RHSA-2023:1770
- https://access.redhat.com/errata/RHSA-2023:1823
- https://access.redhat.com/errata/RHSA-2023:1824
- https://access.redhat.com/security/cve/cve-2023-1668
- https://access.redhat.com/errata/RHSA-2023:3491
- https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9
- https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2023-1668.
What is the severity of CVE-2023-1668?
CVE-2023-1668 has a severity value of 8.2 (high).
What is the affected software for CVE-2023-1668?
The affected software for CVE-2023-1668 includes openvswitch versions 1.5.0 to 2.13.11, 2.14.0 to 2.14.9, 2.15.0 to 2.15.8, 2.16.0 to 2.16.7, 2.17.0 to 2.17.6, and 3.0.0 to 3.0.4.
How can I fix the vulnerability CVE-2023-1668?
To fix the vulnerability CVE-2023-1668, update openvswitch to version 2.10.7+ds1-0+deb10u4, 2.15.0+ds1-2+deb11u4, 3.1.0-2, or 3.2.0-2, depending on your distribution.
Where can I find more information about CVE-2023-1668?
More information about CVE-2023-1668 can be found in the references: https://www.openwall.com/lists/oss-security/2023/04/06/1, https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2186245, and https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2186246.
- collector/debian-bugs
- alias/CVE-2023-1668
- collector/nvd-index
- collector/security-tracker-debian
- collector/nvd-api
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/cloudbase
- canonical/cloudbase open vswitch
- version/cloudbase open vswitch/1.5.0
- version/cloudbase open vswitch/2.14.0
- version/cloudbase open vswitch/2.15.0
- version/cloudbase open vswitch/2.16.0
- version/cloudbase open vswitch/2.17.0
- version/cloudbase open vswitch/3.0.0
- version/cloudbase open vswitch/3.1.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.0
- canonical/redhat openstack platform
- version/redhat openstack platform/16.1
- version/redhat openstack platform/16.2
- version/redhat openstack platform/17.0
- canonical/redhat virtualization
- version/redhat virtualization/4.0
- canonical/redhat fast datapath
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- package-manager/redhat