frr-8.3.1-11.el9.ML.1

エラータID: AXSA:2023-6853:07

Release date: 
Monday, December 11, 2023 - 07:25
Subject: 
frr-8.3.1-11.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.

Security Fix(es):

* frr: Reachable assertion in peek_for_as4_capability function (CVE-2022-36440)
* frr: denial of service by crafting a BGP OPEN message with an option of type 0xff (CVE-2022-40302)
* frr: denial of service by crafting a BGP OPEN message with an option of type in bgp_open_option_parse in the bgp_open.c 0xff (CVE-2022-40318)
* frr: out-of-bounds read exists in the BGP daemon of FRRouting (CVE-2022-43681)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-36440
A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS.
CVE-2022-40302
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case.
CVE-2022-40318
An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. NOTE: this behavior occurs in bgp_open_option_parse in the bgp_open.c file, a different location (with a different attack vector) relative to CVE-2022-40302.
CVE-2022-43681
An out-of-bounds read exists in the BGP daemon of FRRouting FRR through 8.4. When sending a malformed BGP OPEN message that ends with the option length octet (or the option length word, in case of an extended OPEN message), the FRR code reads of out of the bounds of the packet, throwing a SIGABRT signal and exiting. This results in a bgpd daemon restart, causing a Denial-of-Service condition.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. frr-8.3.1-11.el9.ML.1.src.rpm
    MD5: 8fc38256bac9f921e6b200605359540e
    SHA-256: bfba4b2e0c216c9ee72424e6e36c00caa61f87fd25f3d8a16f3f2e0b9ba17e6c
    Size: 9.06 MB

Asianux Server 9 for x86_64
  1. frr-8.3.1-11.el9.ML.1.x86_64.rpm
    MD5: 79d80952936c1460f3bcd4b43a1efc0a
    SHA-256: d0e1767a777bf9eef6b66e77a677e4e3bca3a4f1ad8533eb6477ad815c183df8
    Size: 4.47 MB
  2. frr-selinux-8.3.1-11.el9.ML.1.noarch.rpm
    MD5: 9151d17889a06dd17baccae7c1bc53ec
    SHA-256: 7fb381f572dd43323bc8613493a5a85cd0ed32b3f3f6831dd2cb04807d23e4d5
    Size: 22.99 kB