Bug 1447185 (CVE-2017-1000357)

Summary: CVE-2017-1000357 opendaylight: odl-l2switch-switch feature does not handle closed-stream error
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mkolesni, nyechiel, rbryant, sclewis, skitt, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-04 05:37:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1447861    
Bug Blocks: 1444269    

Description Summer Long 2017-05-02 04:50:47 UTC 
Denial of Service attack when the switch rejects receiving packets from the controller. This vulnerability affects OpenDaylight's odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. 

From thesis: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf?sequence=1
Vulnerability 1: The exploit connects to the OpenDaylight controller running in localhost, port 6653, and sends 100 000 OpenFlow hello packets. Afterwards, the sender closes the stream. The controller tries to send a hello packet for each connection, but the malicious script does not receive any data because stream.recv() is missing. The thread that manages the connection with the exploit does not terminate immediately after the stream is closed. As a result, the number of threads of the controller process grows exponentially until it reaches the maximum number of threads allowed in the running machine (around 32000 threads in our case). Subsequently, the controller crashes.
Comment 1 Summer Long 2017-05-02 04:51:08 UTC 
External References:

https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf?sequence=1
Comment 2 Summer Long 2017-05-02 04:54:52 UTC 
Acknowledgments:

Name: OpenDaylight project
Comment 3 Summer Long 2017-05-04 05:30:49 UTC 
Created opendaylight tracking bugs for this issue:

Affects: openstack-rdo [bug 1447861]
Comment 4 Summer Long 2017-05-04 05:34:37 UTC 
Statement: 

Because the odl-l2switch-switch feature has never been packaged for Red Hat OpenStack Platform, this flaw does not affect any RHOSP version.