oss-sec mailing list archives
CVE-2022-46397: FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV with AES-CBC mode
From: Dave Wallace <dwallacelf () gmail com>
Date: Mon, 13 Feb 2023 23:47:38 -0500
Folks,A vulnerability in the VPP IPSec plugin was identified by Benoit Ganne who has also provided a fix that has been committed to master and cherry-picked to all affected VPP Release branches.
Here is the Security Advisory report for CVE-2022-46397 [0]: Description:FP.io VPP (Vector Packet Processor) 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04 Generates a Predictable IV with CBC Mode.
Vulnerability Type Other: CWE-329: Generation of Predictable IV with CBC Mode Severity: Moderate Vendor of Product: https://fd.io Affected Product Code Base:vpp - v22.10, v22.06, v22.02, v21.10, v21.06, v21.01, v20.09, v20.05, v20.01, v19.08, v19.04
Credit:This issue was reported by Benoit Ganne of Cisco Systems, Inc per the FD.io Security Policy [1].
Resolution:The fix for the vulnerability was committed to the VPP repository's main development branch and cherry-picked to all affected release branches on 2023-02-07. See FD.io VPP Jira ticket VPP-2037 [2] for details.
Maintenance releases were performed on 2023-02-10 for the currently supported releases (VPP 22.06, VPP 22.10) and release artifacts for VPP 22.06.1 and VPP 22.10.1 uploaded to the FD.io packagecloud.io release repository [3]. All release branches prior to 2206 are UNSUPPORTED and will NOT undergo maintenance releases. Packages for each VPP release version prior to VPP-22.06.1 SHOULD NOT BE INSTALLED from https://packagecloud.io/fdio/release, but should be built from the latest source code in the release branch.
Reference: [0] https://www.cve.org/CVERecord?id=CVE-2022-46397 [1] https://wiki.fd.io/view/TSC:Vulnerability_Management [2] https://jira.fd.io/browse/VPP-2037 [3] https://packagecloud.io/fdio/release Thanks, FD.io Security Response Team
Current thread:
- CVE-2022-46397: FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV with AES-CBC mode Dave Wallace (Feb 14)