CVE-2022-32166
Published: 28 September 2022
In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of “minimasks” function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openvswitch Launchpad, Ubuntu, Debian |
bionic |
Released
(2.9.8-0ubuntu0.18.04.3)
|
| focal |
Not vulnerable
(2.13.8-0ubuntu1)
|
|
| jammy |
Not vulnerable
(2.17.2-0ubuntu0.22.04.1)
|
|
| kinetic |
Not vulnerable
(3.0.0-0ubuntu1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.5.9-0ubuntu0.16.04.3+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://github.com/cloudbase/ovs/commit/2ed6505555cdcb46f9b1f0329d1491b75290fc73 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |