CVE-2023-49062

Name of the Vulnerable Software and Affected Versions Katran versions prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f

Description The issue allows Katran to disclose non-initialized kernel memory as part of an IP header. This occurs in IPv4 encapsulation and ICMP (v4) Too Big packet generation. After a bpf xdp adjust head call, the Katran code fails to initialize the Identification field for the IPv4 header, resulting in the writing of kernel memory content in that field of the IP header.

Recommendations For all versions prior to commit 6a03106ac1eab39d0303662963589ecb2374c97f, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the use of IPv4 encapsulation and ICMP (v4) Too Big packet generation until a patch is available.