CVE-2023-3153: 
Podman vulnerability analysis and mitigation

CVE-2023-3153 affects Open Virtual Network (OVN) where the service monitor MAC does not properly rate limit. The vulnerability was discovered in June 2023 and affects all OVN releases from 20.03 to 23.06. The service monitor MAC is used by OVN for load balancer health checks and can be either explicitly configured or randomly generated (OVN Announce).

The vulnerability exists in the service monitor MAC flow implementation where packets with a specific destination MAC address within the switch are sent directly to the pinctrl thread in ovn-controller without proper rate limiting, even on deployments with CoPP enabled and configured. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

If an attacker learns the svcmonitormac, they could potentially cause a denial of service by continuously sending traffic to the svcmonitormac, resulting in continuous upcalls to ovn-controller. This can drive up the CPU usage of ovn-controller and prevent Open vSwitch from handling legitimate traffic (OVN Announce).

The vulnerability has been patched in OVN versions 22.03.3, 22.09.2, 22.12.1, 23.03.1, and 23.06.1 or higher. Administrators should upgrade to these versions and enable control plane protection (CoPP) for the new 'svcmonitor' meter on logical switches, especially for those accepting traffic from the public internet. Additional mitigations include restricting access to the northbound database and virtual machines attached to br-int, and periodically clearing the NBGlobal options:svcmonitormac to generate a new random MAC address (OVN Announce, GitHub Patch).