Page MenuHomeVyOS Platform

CVE-2023-38802
Closed, DuplicatePublicBUG

Description

https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

FRR Impact (and other downstream vendors)

FRR attempts to handle bad attributes using RFC 7606 behaviour. However the fuzzer discovered that a corrupted attribute 23 (Tunnel Encapsulation) will cause a session to go down regardless.

Fix: https://github.com/FRRouting/frr/issues/14289

Details

Version
1.3.3
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

syncer triaged this task as High priority.

This also affects latest rolling release as of 1.4-rolling-202308240020 which is available @vyos.io

I assume backports will be used once VyOS 1.3.4 gets compiled?

Any ETA for VyOS 1.3.4?

Which VyOS 1.4-rolling will have the fixes made by FRRouting?

syncer added a subscriber: v.huti.

Which VyOS 1.4-rolling will have the fixes made by FRRouting?

lasted 1.4 and 1.5, also latest custom build 1.3 image already has the fix. 1.3.4 release is in the making