'[oss-security] CVE-2022-46397: FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV '

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-46397: FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV 
From:       Dave Wallace <dwallacelf () gmail ! com>
Date:       2023-02-14 4:47:38
Message-ID: 8820f35d-5786-d799-b6c0-8800f148829b () gmail ! com
[Download RAW message or body]


Folks,

A vulnerability in the VPP IPSec plugin was identified by Benoit Ganne 
who has also provided a fix that has been committed to master and 
cherry-picked to all affected VPP Release branches.


Here is the Security Advisory report for CVE-2022-46397 [0]:

Description:
FP.io VPP (Vector Packet Processor) 22.10, 22.06, 22.02, 21.10, 21.06, 
21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV 
with CBC Mode.

Vulnerability Type Other:
CWE-329: Generation of Predictable IV with CBC Mode

Severity:
Moderate

Vendor of Product:
https://fd.io

Affected Product Code Base:
vpp - v22.10, v22.06, v22.02, v21.10, v21.06, v21.01, v20.09, v20.05, 
v20.01, v19.08, v19.04

Credit:
This issue was reported by Benoit Ganne of Cisco Systems, Inc per the 
FD.io Security Policy [1].

Resolution:
The fix for the vulnerability was committed to the VPP repository's main 
development branch and cherry-picked to all affected release branches on 
2023-02-07. See FD.io VPP Jira ticket VPP-2037 [2] for details.

Maintenance releases were performed on 2023-02-10 for the currently 
supported releases (VPP 22.06, VPP 22.10) and release artifacts for VPP 
22.06.1 and VPP 22.10.1 uploaded to the FD.io packagecloud.io release 
repository [3].  All release branches prior to 2206 are UNSUPPORTED and 
will NOT undergo maintenance releases.  Packages for each VPP release 
version prior to VPP-22.06.1 SHOULD NOT BE INSTALLED from 
https://packagecloud.io/fdio/release, but should be built from the 
latest source code in the release branch.

Reference:
[0] https://www.cve.org/CVERecord?id=CVE-2022-46397
[1] https://wiki.fd.io/view/TSC:Vulnerability_Management
[2] https://jira.fd.io/browse/VPP-2037
[3] https://packagecloud.io/fdio/release


Thanks,
FD.io Security Response Team

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic