NVD Vulnerability Detail

CVE-2019-5892

Summary	bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0.4, 4.x before 4.0.1, 5.x before 5.0.2, and 6.x before 6.0.2 (not affecting Cumulus Linux or VyOS), when ENABLE_BGP_VNC is used for Virtual Network Control, allows remote attackers to cause a denial of service (peering session flap) via attribute 255 in a BGP UPDATE packet. This occurred during Disco in January 2019 because FRR does not implement RFC 7606, and therefore the packets with 255 were considered invalid VNC data and the BGP session was closed.
Publication Date	Jan. 11, 2019, 2:29 a.m.
Registration Date	Jan. 26, 2021, 11:43 a.m.
Last Update	Nov. 21, 2024, 1:45 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://frrouting.org/community/security/cve-2019-5892.html	Vendor Advisory
2	https://frrouting.org/community/security/cve-2019-5892.html	Vendor Advisory
3	https://github.com/FRRouting/frr/commit/943d595a018e69b550db08cccba1d0778a86705a	Patch Third Party Advisory
4	https://github.com/FRRouting/frr/commit/943d595a018e69b550db08cccba1d0778a86705a	Patch Third Party Advisory
5	https://github.com/FRRouting/frr/releases/tag/frr-3.0.4	Release Notes Third Party Advisory
6	https://github.com/FRRouting/frr/releases/tag/frr-3.0.4	Release Notes Third Party Advisory
7	https://github.com/FRRouting/frr/releases/tag/frr-4.0.1	Release Notes Third Party Advisory
8	https://github.com/FRRouting/frr/releases/tag/frr-4.0.1	Release Notes Third Party Advisory
9	https://github.com/FRRouting/frr/releases/tag/frr-5.0.2	Release Notes Third Party Advisory
10	https://github.com/FRRouting/frr/releases/tag/frr-5.0.2	Release Notes Third Party Advisory
11	https://github.com/FRRouting/frr/releases/tag/frr-6.0.2	Release Notes Third Party Advisory
12	https://github.com/FRRouting/frr/releases/tag/frr-6.0.2	Release Notes Third Party Advisory
13	https://lists.frrouting.org/pipermail/frog/2019-January/000404.html	Patch Vendor Advisory
14	https://lists.frrouting.org/pipermail/frog/2019-January/000404.html	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-436	解釈の競合	https://cwe.mitre.org/data/definitions/436.html

JVN Vulnerability Information

FRRouting における入力確認に関する脆弱性

Title	FRRouting における入力確認に関する脆弱性
Summary	FRRouting には、入力確認に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 7, 2019, midnight
Registration Date	March 5, 2019, 6:01 p.m.
Last Update	March 5, 2019, 6:01 p.m.

Affected System

FRRouting Project

FRRouting 3.0.4 未満の 2.x および 3.x

FRRouting 4.0.1 未満の 4.x

FRRouting 5.0.2 未満の 5.x

FRRouting 6.0.2 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-5892	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5892
FRRouting
2	CVE-2019-5892	https://frrouting.org/community/security/cve-2019-5892.html
National Vulnerability Database (NVD)
3	CVE-2019-5892	https://nvd.nist.gov/vuln/detail/CVE-2019-5892

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
FRRouting
1	[FROG] New Releases of FRR	https://lists.frrouting.org/pipermail/frog/2019-January/000404.html
GitHub
2	bgpd: don't use BGP_ATTR_VNC(255) unless ENABLE_BGP_VNC_ATTR is defined	https://github.com/FRRouting/frr/commit/943d595a018e69b550db08cccba1d0778a86705a
3	FRR 3.0.4 Release	https://github.com/FRRouting/frr/releases/tag/frr-3.0.4
4	FRR 4.0.1 Release	https://github.com/FRRouting/frr/releases/tag/frr-4.0.1
5	FRR 5.0.2 Release	https://github.com/FRRouting/frr/releases/tag/frr-5.0.2
6	FRR 6.0.2 Release	https://github.com/FRRouting/frr/releases/tag/frr-6.0.2

Change Log

No	Changed Details	Date of change
1	[2019年03月05日] 掲載	March 5, 2019, 6:01 p.m.