Bug 1447190 (CVE-2017-1000358)

Summary: CVE-2017-1000358 opendaylight: uncaught exception by odl-restconf feature
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mkolesni, nyechiel, rbryant, sclewis, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-08 00:38:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1447863, 1447864    
Bug Blocks: 1444269    

Description Summer Long 2017-05-02 05:08:44 UTC 
Denial of Service in OpenDaylight (adding flows). Controller throws an exception and does not allow user to add subsequent flows for a particular switch.
From thesis: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf?sequence=1

Vulnerability 2: The exploit sends several equal REST API requests to add [a flow]. The first requests are successful and the controller returns the transaction ID. After a certain number of successful requests, the controller returns the stack trace of a NullPointerException in the HTTP response. Afterwards, the user is not able to add flows to the same switch, unless the controller is restarted.
Comment 2 Summer Long 2017-05-02 05:09:11 UTC 
Acknowledgments:

Name: OpenDaylight project
Upstream: Andi Bidaj
Comment 4 Summer Long 2017-05-04 05:42:26 UTC 
Created opendaylight tracking bugs for this issue:

Affects: openstack-rdo [bug 1447863]
Comment 5 Summer Long 2017-05-24 04:46:21 UTC 
Mitigation from upstream: https://wiki.opendaylight.org/view/Security_Advisories

Ensuring that only restricted users can add flows to devices and that they do not repeatedly add the same flow should minimize or eliminate risk of the attack.
Comment 8 Andrej Nemec 2018-05-14 11:55:25 UTC 
Statement: 

This issue affects OpenDaylight in Red Hat OpenStack Platform 12.0 (Pike). However, OpenDaylight is only supported in segregated management networks; by default, at worst, this flaw would only be exposed on an admin network. For this reason, Red Hat Product Security has rated this issue as having security impact of Low. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.