CVE-2025-0650

Summary

A flaw was found in the Open Virtual Network (OVN). Specially crafted UDP packets may bypass egress access control lists (ACLs) in OVN installations configured with a logical switch with DNS records set on it and if the same switch has any egress ACLs configured. This issue can lead to unauthorized access to virtual machines and containers running on the OVN network.

Affected Software

VendorProductVersion RangeStatus
22.03.8unaffected
24.03.5unaffected
24.09.2unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:22.03.7-11.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:22.06.0-273.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:22.09.2-86.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:22.12.1-107.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:23.03.3-22.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 80:23.06.4-26.el8fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:22.03.7-11.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:22.06.0-273.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:22.09.2-86.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:22.12.1-107.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:23.03.3-22.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:23.06.4-26.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:23.09.6-12.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:24.03.4-53.el9fdp < *unaffected
Red HatFast Datapath for Red Hat Enterprise Linux 90:24.09.1-66.el9fdp < *unaffected

Weaknesses

  • CWE-284: Improper Access Control

Workarounds

Red Hat Product Security has not identified any mitigations at this time. We recommend updating to a known patched version of OVN.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References