CVE-2023-38283

In OpenBGPD before 8.1, incorrect handling of BGP update data (length of path attributes) set by a potentially distant remote actor may cause the system to incorrectly reset a session. This is fixed in OpenBSD 7.3 errata 006.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
openbgpdopenbgpd
𝑥
< 8.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openbgpd
bookworm
no-dsa
trixie
8.7-1
fixed
sid
8.7-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openbgpd
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
needs-triage
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
https://github.com/openbgpd-portable/openbgpd-portable/releases/tag/8.1
https://news.ycombinator.com/item?id=37305800
https://www.openbsd.org/errata73.html
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
https://github.com/openbgpd-portable/openbgpd-portable/releases/tag/8.1
https://news.ycombinator.com/item?id=37305800
https://www.openbsd.org/errata73.html