CVE-2023-1668: A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP…

high8.2CVSS 3.1

AVNACLPRNUINSUCLINAH

A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

Affected

24 ranges

Vendor	Product	Version range	Fixed in
cloudbase	open_vswitch	—	—
cloudbase	open_vswitch	>= 1.5.0 < 2.13.11	2.13.11
cloudbase	open_vswitch	>= 2.14.0 < 2.14.9	2.14.9
cloudbase	open_vswitch	>= 2.15.0 < 2.15.8	2.15.8
cloudbase	open_vswitch	>= 2.16.0 < 2.16.7	2.16.7
cloudbase	open_vswitch	>= 2.17.0 < 2.17.6	2.17.6
cloudbase	open_vswitch	>= 3.0.0 < 3.0.4	3.0.4
debian	debian_linux	—	—
debian	openvswitch	< openvswitch 3.1.0-2 (bookworm)	openvswitch 3.1.0-2 (bookworm)
msrc	azl3_openvswitch_2.17.5-3_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_openvswitch_2.17.5-2_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
openvswitch	openvswitch	>= 0 < 2.15.0+ds1-2+deb11u4	2.15.0+ds1-2+deb11u4
openvswitch	openvswitch	>= 0 < 3.1.0-2	3.1.0-2
openvswitch	openvswitch	>= 0 < 3.1.0-2	3.1.0-2
openvswitch	openvswitch	>= 0 < 3.1.0-2	3.1.0-2
redhat	openshift_container_platform	—	—
redhat	openstack_platform	—	—
redhat	openstack_platform	—	—
redhat	openstack_platform	—	—
redhat	virtualization	—	—

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

osv8.2HIGH