CVE-2023-49062

2023-11-2816:15:07

CWE-665

[email protected]

web.nvd.nist.gov

katran

ip header

vulnerability

cve-2023-49062

nvd

kernel memory

disclosure

ipv4

icmp

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

37.3%

JSON

Katran could disclose non-initialized kernel memory as part of an IP header. The issue was present for IPv4 encapsulation and ICMP (v4) Too Big packet generation. After a bpf_xdp_adjust_head call, Katran code didn’t initialize the Identification field for the IPv4 header, resulting in writing content of kernel memory in that field of IP header. The issue affected all Katran versions prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f

Affected configurations

NVD

Node

facebookkatranRange<2023-11-15

CPENameOperatorVersion
facebook:katranfacebook katranlt2023-11-15

CPE	Name	Operator	Version
facebook:katran	facebook katran	lt	2023-11-15

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Katran",
    "vendor": "Facebook",
    "versions": [
      {
        "lessThan": "6a03106ac1eab39d0303662963589ecb2374c97f",
        "status": "affected",
        "version": "0",
        "versionType": "git"
      }
    ]
  }
]