Candidate: CVE-2017-14970
PublicDate: 2017-10-02 01:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14970
 https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html
 https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html
Description:
 In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multiple
 memory leaks while parsing malformed OpenFlow group mod messages. NOTE: the
 vendor disputes the relevance of this report, stating "it can only be
 triggered by an OpenFlow controller, but OpenFlow controllers have much
 more direct and powerful ways to force Open vSwitch to allocate memory,
 such as by inserting flows into the flow table."
Ubuntu-Description:
Notes:
 mdeslaur> upstream is working to get this CVE rejected.
 mdeslaur> https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/339432.html
 mdeslaur> marking as ignored
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877543
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H [5.9 MEDIUM]

Patches_openvswitch:
upstream_openvswitch: released (2.8.1)
precise/esm_openvswitch: DNE
trusty_openvswitch: ignored
trusty/esm_openvswitch: DNE (trusty was ignored)
vivid/ubuntu-core_openvswitch: DNE
xenial_openvswitch: ignored
esm-infra/xenial_openvswitch: ignored
zesty_openvswitch: ignored (reached end-of-life)
artful_openvswitch: ignored (reached end-of-life)
bionic_openvswitch: not-affected (2.9.0-0ubuntu1)
devel_openvswitch: not-affected (2.10.0-0ubuntu2)