Headline
Red Hat Security Advisory 2023-5219-01
Red Hat Security Advisory 2023-5219-01 - FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: frr security and bug fix update
Advisory ID: RHSA-2023:5219-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:5219
Issue date: 2023-09-19
CVE Names: CVE-2023-38802
====================================================================
- Summary:
An update for frr is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
- Description:
FRRouting is free software that manages TCP/IP based routing protocols. It
supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and
BFD.
Security Fix(es):
- frr: Incorrect handling of a error in parsing of an invalid section of a
BGP update can de-peer a router (CVE-2023-38802)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
- BFD crash in FRR running in MetalLB (BZ#2231829)
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2230983 - CVE-2023-38802 frr: Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
2231829 - BFD crash in FRR running in MetalLB [rhel-8.8.0.z]
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
frr-7.5.1-7.el8_8.2.src.rpm
aarch64:
frr-7.5.1-7.el8_8.2.aarch64.rpm
frr-debuginfo-7.5.1-7.el8_8.2.aarch64.rpm
frr-debugsource-7.5.1-7.el8_8.2.aarch64.rpm
noarch:
frr-selinux-7.5.1-7.el8_8.2.noarch.rpm
ppc64le:
frr-7.5.1-7.el8_8.2.ppc64le.rpm
frr-debuginfo-7.5.1-7.el8_8.2.ppc64le.rpm
frr-debugsource-7.5.1-7.el8_8.2.ppc64le.rpm
s390x:
frr-7.5.1-7.el8_8.2.s390x.rpm
frr-debuginfo-7.5.1-7.el8_8.2.s390x.rpm
frr-debugsource-7.5.1-7.el8_8.2.s390x.rpm
x86_64:
frr-7.5.1-7.el8_8.2.x86_64.rpm
frr-debuginfo-7.5.1-7.el8_8.2.x86_64.rpm
frr-debugsource-7.5.1-7.el8_8.2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2023-38802
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJlCWltAAoJENzjgjWX9erET48P/i4sFRi3htQmxLHFxf5dTRWh
rvCopOuKxIsVUdvPLoicy41cjFGlZmiF1xogHUvqRvXfiOEGHOzCWHjMdllYzj7F
cDg4TJ9qGSmkPHf+5rLyXPKjFIQ3C9S/GT69IyPKDWHBwabOaEXfvAk5iAzDZFxH
Wq4vIU4fBnX2HeiqQIl/UshktPolzUx8Gc0sCtMmVJEJX8YpowH4Qo6vxE7rpuhY
1XSIVs7YbG3F4tqLWRr0PDKTyVeObKM/O0DHTSgfAxZQVu3b4K5U2Lxwv8i90f7M
dwRTqKGwyKXe0lr7ZtoAojTZkINk7pUIYac7baUzKyt0jKdQ2bkdMexmGHSQfNp7
Vmyh294YGaEoGrTnOkGfysK3LjwwvnppK4eab3Z3tBg+YWaEsRpXbr1Wrk9ZRuSC
vPm3Vnuare1iECH85iuaUcu9qCoD66UR3UHQ/sYA37xB9hmy/6lR0YhLY6o06owc
UvurOWIEMJUxtDWtp+dZepwfpk7c4v0Sgm5SstLLoVE4dwMURzWAOaWfr1jFNUIb
Tx6oOAUt4yFZfS9a6T54sobOFES+rOS4rwSBmT7dr4M+7HytYEyIi2zQhpvrB89i
k+Vx+2ae/tNHGFbIOa4qjl9yG3rPSum3rBNSv9uwqleVtDXDKrSMRh4TJC0VqIUi
H8TQ9vh6iJug7mNeHAnj
=P6/K
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute.
Red Hat Security Advisory 2023-5465-01 - FRRouting is free software that manages TCP/IP based routing protocols. It supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD.
An update for frr is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38802: A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).
An update for frr is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38802: A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation)...
An update for frr is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38802: A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).
An update for frr is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38802: A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).
An update for frr is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38802: A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).
An update for frr is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38802: A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).
An update for frr is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38802: A vulnerability was found in FRRouting (FRR). This flaw allows a remote attacker to cause a denial of service issue via a crafted BGP update with a corrupted attribute 23 (Tunn...
Debian Linux Security Advisory 5495-1 - Multiple vulnerabilities were discovered in frr, the FRRouting suite of internet protocols, while processing malformed requests and packets the BGP daemon may have reachable assertions, NULL pointer dereference, out-of-bounds memory access, which may lead to denial of service attack.
Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition. The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It’s described as an authentication bypass flaw in the Cisco BroadWorks