CVE-2022-37032
Publication date 19 September 2022
Last updated 24 July 2024
Ubuntu priority
An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 may lead to a segmentation fault and denial of service. This occurs in bgp_capability_msg_parse in bgpd/bgp_packet.c.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| frr | 24.04 LTS noble |
Fixed 8.1-1ubuntu3
|
| 22.04 LTS jammy |
Fixed 8.1-1ubuntu1.2
|
|
| 20.04 LTS focal |
Fixed 7.2.1-1ubuntu0.2+esm2
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Ignored | |
| quagga | 24.04 LTS noble | Not in release |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Fixed 1.2.4-4ubuntu0.4
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty | Ignored |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
mdeslaur
code is similar in quagga, probably vulnerable the frr patch for this issue is incompatible with quagga, as is requires the size of the struct to be changed: https://github.com/FRRouting/frr/commit/a46a2e9b4e8de782ac07e01429a80ed7ec167dcb changing the size of that struct causes s390x to fail tests.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.1 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5685-1
- FRR vulnerabilities
- 18 October 2022
- USN-6482-1
- Quagga vulnerabilities
- 15 November 2023
- USN-6807-1
- FRR vulnerabilities
- 5 June 2024