Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Bug report with 3 CVEs on fabric.p4

9 views
Skip to first unread message

Jiwon Kim

unread,
Feb 19, 2024, 1:45:32 PM2/19/24
to sdfabr...@opennetworking.org
Hi Team,

I just checked that the email that I sent was not delivered.

I’d like to send this email to notify that 3 bugs in SD-FABRIC have been assigned with CVEs.
(CVE-2023-43888CVE-2023-43889CVE-2023-45377)

The root cause of three CVEs is handling PACKET_OUT messages sent by data-plane hosts.

I can reproduce these bugs on following environments by sending malicious payload with the attached python script (gen-pkt.py)
  • fabric_v1model.p4
  • ONOS v2.7.1
  • Stratum v2022-06-30
  • BMv2 b0fb01e

I also put the forwarded email that I sent 4 months ago.
I sent it to ONOS team before, but I couldn’t receive any notification from them.

Please advise on your disclosure deadline or if I should create tickets on the public bug tracker.

Best regards,
Jiwon Kim

gen-pkt.py
Reply all
Reply to author
Forward
0 new messages