Alpine: multiple openvswitch packages, py3-openvswitch: security update to 2.12.0-r3 (deprecated)

critical Tenable Self-Hosted Container Security Plugin ID 400278

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c in lldpd before 0.8.0 allows remote
attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via vectors
involving large management addresses and TLV boundaries. (CVE-2015-8011)

- A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4
and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket, can
send specially crafted VRING_SET_NUM messages, resulting in a memory leak including file descriptors. This
flaw could lead to a denial of service condition. (CVE-2019-14818)

- A vulnerability was found in DPDK versions 18.05 and above. A missing check for an integer overflow in
vhost_user_set_log_base() could result in a smaller memory map than requested, possibly allowing memory
corruption. (CVE-2020-10722)

- A memory corruption issue was found in DPDK versions 17.05 and above. This flaw is caused by an integer
truncation on the index of a payload. Under certain circumstances, the index (a UInt) is copied and
truncated into a uint16, which can lead to out of bound indexing and possible memory corruption.
(CVE-2020-10723)

See Also

https://git.alpinelinux.org/aports/commit/?id=7493d456efa66a817925f843779241ec2e2dce14

https://git.alpinelinux.org/aports/commit/?id=de4c4b03049e4773a9f986985bbefbf71cf59b0f

Plugin Details

Severity: Critical

ID: 400278

Version: Revision 1.25

Type: Local

Published: 8/16/2023

Updated: 8/13/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2015-8011

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/26/2021

Vulnerability Publication Date: 10/16/2015

Reference Information

CVE: CVE-2015-8011, CVE-2019-14818, CVE-2020-10722, CVE-2020-10723, CVE-2020-10724, CVE-2020-27827

BID: 77114