CVE-2023-3153 ovn: service monitor MAC flow is not rate limited #198
Comments
|
Hi, thank you for bringing this up here. At the moment we are planning a fix to mitigate the issue, however I can't share any details right now. |
|
Hi, the advisory [0] and the patch are public [1]. [0] https://mail.openvswitch.org/pipermail/ovs-announce/2023-August/000327.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue:
The service monitor MAC is exposed through the following flow:
ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110,
"eth.dst == $svc_monitor_mac",
"handle_svc_check(inport);");
This doesn't handle rate limit via CoPP. There is potential to
DoS ovn-controller even on deployments with CoPP enabled and configured
as all packets with this destination mac within the switch are sent directly to pinctrl thread in ovn-controller.
Reference :
https://bugzilla.redhat.com/show_bug.cgi?id=2213279
Fix required :
Unknown
Can we have a look at this issue to find out if there could be a possible DoS attack ?
The text was updated successfully, but these errors were encountered: