CVE-2023-5366

Publication date 6 October 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.

Read the notes from the security team

Status

Package Ubuntu Release Status
openvswitch 24.10 oracular
Fixed 3.3.0~git20240118.e802fe7-3ubuntu1
24.04 LTS noble
Fixed 3.3.0~git20240118.e802fe7-3ubuntu1
23.10 mantic
Fixed 3.2.2-0ubuntu0.23.10.1
23.04 lunar Ignored end of life
22.04 LTS jammy
Fixed 2.17.9-0ubuntu0.22.04.1
20.04 LTS focal
Fixed 2.13.8-0ubuntu1.4
18.04 LTS bionic
Vulnerable
16.04 LTS xenial Ignored changes too intrusive
14.04 LTS trusty Ignored end of standard support

Notes


mdeslaur

This was originally marked as fixed in USN-6514-1, but the fix was incomplete. See the ovs-announce list post for the new commits to fix this issue. The bp commits below are required in addition to the other commits.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
openvswitch

Severity score breakdown

Parameter Value
Base score 5.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-6514-1
    • Open vSwitch vulnerability
    • 26 November 2023
    • USN-6690-1
    • Open vSwitch vulnerabilities
    • 12 March 2024

Other references