Operating System:

[RedHat]

Published:

31 March 2016

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2016.0817 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0817
                  Important: openvswitch security update
                               31 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openvswitch
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2074  

Reference:         ESB-2016.0815
                   ESB-2016.0811

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2016-0537.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: openvswitch security update
Advisory ID:       RHSA-2016:0537-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-0537.html
Issue date:        2016-03-30
CVE Names:         CVE-2016-2074 
=====================================================================

1. Summary:

An update for openvswitch is now available for Red Hat Enterprise Linux
OpenStack Platform 7.0 (Kilo) for RHEL 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 7.0 for RHEL 7 - noarch, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* A buffer overflow flaw was discovered in the OVS processing of MPLS
labels. A remote attacker able to deliver a frame containing a malicious
MPLS label that would be processed by OVS could trigger the flaw and use
the resulting memory corruption to cause a denial of service (DoS) or,
possibly, execute arbitrary code. (CVE-2016-2074)

Red Hat would like to thank the Open vSwitch project for reporting this
issue. Upstream acknowledges Kashyap Thimmaraju and Bhargava Shastry as the
original reporters.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1318553 - CVE-2016-2074 openvswitch: MPLS buffer overflow vulnerability

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 7.0 for RHEL 7:

Source:
openvswitch-2.4.0-2.el7_2.src.rpm
openvswitch-dpdk-2.4.0-0.10346.git97bab959.3.el7_2.src.rpm

noarch:
python-openvswitch-2.4.0-2.el7_2.noarch.rpm

x86_64:
openvswitch-2.4.0-2.el7_2.x86_64.rpm
openvswitch-debuginfo-2.4.0-2.el7_2.x86_64.rpm
openvswitch-dpdk-2.4.0-0.10346.git97bab959.3.el7_2.x86_64.rpm
openvswitch-dpdk-debuginfo-2.4.0-0.10346.git97bab959.3.el7_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-2074
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFW/DxbXlSAg2UNWIIRAliQAJ9x2r8+3bKk54bwf4BWcq8FJjLGTgCgrUTp
hEpb9aQWfzxRzsu9TWpjQNk=
=DolP
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvxpRH6ZAP0PgtI9AQLmEA/9Fij0fqcSaa8nwrJRBoRmEOaLr1yiG01a
K73aQUw8dMddE6Vy7EDH86nGWCB03KfmG+wkj+T/+OXLEu9z1gFbNSlHzV5k+u8y
gvoJtSNtY0+F7ksmtz3C773dZhHh2jHQuY4R52vVEShQqc4JtD0ZtScODppVFR23
dPC9Sv5dPlQ97qMzvtJJ2xrhliEA5j5ELZIaQQCbUmv+mJgl4+XhqvNgXVxf7FkG
RvVzplDExYU1auvBInElmIeLslJ/xjQ4vfbid+CY/F65ofzr1TR4qTKQlu53rWXO
w4Qu58zqPFht+o7LX+mApf8591a5iGss6lKoIq9gpYmIfSGMJrN2ZxIGbhB6jKIs
jx8RbiBGRIb69zvtsl8ypT/Ut4wpBxIOZyP9SC3L376MlbJpthwKQFpZYykKa9k8
7fkIp2mbsOkEdZkYTkYZLN9vd4VcHhGYeq7MzD5BdHKSeGHhv/k30d61E/4sXxri
tyLwy/v62lqdX2P1MH19mOczcbHUMpEH7JhyiBCJx/xUGaXE2WX4OUYk1Xm920Xo
O1xegQXzUpiPYRZ8Bl11bzvCPcHg25Y7dP00c+GMmeE0aTSvGxhu0d6fTHQ8wn1q
xMxIDA1elajypkbceu4OGZgEEPzOmnkzBiIJDhvr6PHynJA4LXL0VvzAAcR/oLtT
5qGVw09I+Ts=
=1u2B
-----END PGP SIGNATURE-----