CVE-2023-38283

In OpenBGPD before 8.1, incorrect handling of BGP update data (length of path attributes) set by a potentially distant remote actor may cause the system to incorrectly reset a session. This is fixed in OpenBSD 7.3 errata 006.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
openbgpdopenbgpd
𝑥
< 8.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
bgpopenbgpd
𝑥
< 8.1
ADP
Debian logo
Debian Releases
Debian Product
Codename
openbgpd
bookworm
no-dsa
sid
8.7-1
fixed
trixie
8.7-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openbgpd
bionic
ignored
focal
dne
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
https://github.com/openbgpd-portable/openbgpd-portable/releases/tag/8.1
https://news.ycombinator.com/item?id=37305800
https://www.openbsd.org/errata73.html
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
https://github.com/openbgpd-portable/openbgpd-portable/releases/tag/8.1
https://news.ycombinator.com/item?id=37305800
https://www.openbsd.org/errata73.html