CVE-2023-3966

Publication date 8 February 2024

Last updated 24 July 2024

Ubuntu priority

A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.

Read the notes from the security team

Mitigation

Disable flow hardware offload if enabled via the following setting and reboot: other_config:hw-offload=false

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openvswitch	24.04 LTS noble	Fixed 3.3.0~git20240118.e802fe7-3ubuntu1
	23.10 mantic	Fixed 3.2.2-0ubuntu0.23.10.1
	22.04 LTS jammy	Fixed 2.17.9-0ubuntu0.22.04.1
	20.04 LTS focal	Fixed 2.13.8-0ubuntu1.4
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Ignored end of standard support

Notes

amurray

According to the upstream advisory only affects version 2.12 and newer but the mentioned commit which introduced this bug (https://github.com/openvswitch/ovs/commit/a468645c6d33) was shipped in 2.11.0 as well so assuming this is also affected.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
openvswitch	Upstream: be695f2 Upstream: 2cfbcd5 Upstream: 91e621b Upstream: 935cd1d Upstream: b8657da

References

Related Ubuntu Security Notices (USN)

USN-6690-1
Open vSwitch vulnerabilities
12 March 2024