Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Mar 2024 15:00:08 +0100
From: Dumitru Ceara <>
 ovs-discuss <>
Cc: Mark Michelson <>,
 Frode Nordahl <>,
 Ilya Maximets <>,
 Lorenzo Bianconi <>
Subject: [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient
 validation of incoming BFD packets.


Multiple versions of OVN (Open Virtual Network) are vulnerable to
crafted BFD packets potentially causing denial of service.

OVN supports configuration of gateway chassis and high-availability
chassis groups (via the Gateway_Chassis and HA_Chassis_Group tables in
the OVN_Northbound database).  These group cluster nodes (chassis)
together and provide high availability to them.  OVN logical switch and
router ports can be configured to reference such groups.  In this case
the traffic forwarding decision is influenced by the liveness of the
chassis listed in the group.

In such scenarios OVN automatically enables the OVS Bidirectional
Forwarding Detection (BFD) functionality to monitor the health of remote
nodes and tunnels between them.

BFD packets are transmitted in-band in tunnels that connect OVN chassis,
along with other traffic.  And, by default, OVS will process any BFD
packets received on a tunnel port with BFD enabled.  That makes it
possible for a VM or container connected to an OVN logical switch port
to send BFD packets that will be tunneled to another node and processed
by OVS, potentially changing the BFD state and affecting the forwarding

The Common Vulnerabilities and Exposures project ( has
assigned the CVE-2024-2182 identifier to this issue.

A way to determine if BFD will be used is to issue the following
commands on the node that runs the OVN central components:

  $ ovn-nbctl --columns name,gateway_chassis list logical_router_port

If the above command returns more than a single gateway chassis
reference for a given port that means OVS BFD has been automatically

  $ ovn-nbctl --columns name,ha_chassis list ha_chassis_group

The same applies if the above command returns groups that contain more
than one chassis.


For any version of OVN, in order to prevent the issue, an ACL (Access
Control List) rule can be added to drop BFD packets originated from
logical ports.

For example, the following shell script would configure ACLs on all
existing OVN logical switches:

  for sw in $(ovn-nbctl --bare --columns name list logical_switch); do
      ovn-nbctl acl-add $sw from-lport 32767 'udp && udp.dst == 3784' drop

If OVN is configured by a Cloud Management System (CMS, e.g., OpenStack)
then it is the responsibility of the CMS to program ACLs.  Manual user
configuration might otherwise be overwritten by the CMS.

We do not recommend attempting to mitigate the vulnerability this way
because this will also drop legitimate BFD traffic originated by the
workloads connected to logical switch ports, e.g., BFD sessions
established with external entities.


Patches to fix this vulnerability in currently supported versions of

 * 22.03.x:
 * 23.03.x:
 * 23.06.x:
 * 23.09.x:
 * 24.03.x:

Original patch is located at:


We recommend that users of OVN apply the linked patches, or upgrade to
a known patched version of OVN.  These include:

 * v22.03.7
 * v23.03.3
 * v23.06.3
 * v23.09.3
 * v24.03.1


The OVN team wishes to thank the reporter:

  Frode Nordahl <>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.