{
  "threat_severity" : "Moderate",
  "public_date" : "2021-09-29T00:00:00Z",
  "bugzilla" : {
    "description" : "openvswitch: External triggered memory leak in Open vSwitch while processing fragmented packets",
    "id" : "2019692",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2019692"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-401",
  "details" : [ "A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments.", "A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments." ],
  "statement" : "Red Hat Enterprise Linux 7 provides the `openvswitch` package only through the unsupported Optional repository. Customers are advised to install Open vSwitch (OVS) from RHEL Fast Datapath instead.\nRed Hat OpenStack Platform deployments are not affected because they use OVS/OVN directly from the Fast Datapath channel. Any updates will be distributed through that channel.",
  "affected_release" : [ {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8",
    "release_date" : "2022-01-10T00:00:00Z",
    "advisory" : "RHBA-2022:0051",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath",
    "package" : "openvswitch2.13-0:2.13.0-139.el8fdp"
  }, {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8",
    "release_date" : "2022-01-10T00:00:00Z",
    "advisory" : "RHBA-2022:0052",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath",
    "package" : "openvswitch2.15-0:2.15.0-55.el8fdp"
  }, {
    "product_name" : "Fast Datapath for Red Hat Enterprise Linux 8",
    "release_date" : "2022-08-01T00:00:00Z",
    "advisory" : "RHBA-2022:5792",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath",
    "package" : "openvswitch2.16-0:2.16.0-86.el8fdp"
  } ],
  "package_state" : [ {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 7",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch2.13",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Fast Datapath for RHEL 8",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch2.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8::fastdatapath"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch2.13",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch2.15",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openvswitch2.16",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:16.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "rhosp-openvswitch",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat Virtualization 4",
    "fix_state" : "Not affected",
    "package_name" : "openvswitch2.11",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3905\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3905" ],
  "name" : "CVE-2021-3905",
  "csaw" : false
}