#VU63630 Resource exhaustion in DPDK - CVE-2022-0669

Cybersecurity Help s.r.o.

Published: 2022-05-25 | Updated: 2022-05-25

Vulnerability identifier: #VU63630

Vulnerability risk: Low

CVSSv4.0: 5.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Clear]

CVE-ID: CVE-2022-0669

CWE-ID: CWE-400

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
DPDK
Server applications / Frameworks for developing and running applications

Vendor: DPDK Project

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to DPDK incorrectly handles inflight type messages. A local user can exhaust available fd in the vhost-user slave process and perform a denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

DPDK: 1.7.1, 1.8.0, 16.04 - 16.11.11, 17.02 - 17.11.10, 18.02 - 18.11.11, 19.02 - 19.11.11

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2055793

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler update for dpdk

SUSE update for dpdk

Red Hat Enterprise Linux Fast Datapath 8 update for openvswitch

Fast Datapath for Red Hat Enterprise Linux 8 update for openvswitch2.13

Fast Datapath for Red Hat Enterprise Linux 8 update for openvswitch2.15

Denial of service in DPDK

Debian update for dpdk

Ubuntu update for dpdk