Bug 1533501 (CVE-2018-1078)

Summary: CVE-2018-1078 opendaylight: Insecure behavior in node reconciliation process
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, chrisw, dbecker, jjoyce, jpadman, jschluet, kbasil, lhh, lpeer, markmc, mburns, mkolesni, psampaio, rbryant, sclewis, scohen, security-response-team, slinaber, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that all flows, including active and inactive, in the config datastore are installed back in the switch upon reconnection, as part of the node reconciliation process in OpenDayLight. This may lead to denial of service via table overflow or possibly circumventing of the controller's control.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-08 10:23:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1530427, 1533502, 1555485    

Description Pedro Sampaio 2018-01-11 14:13:01 UTC 
It was found that all the flows, including active and inactive, in the config datastore are installed back in switch upon reconnection, as part of the node reconciliation process in OpenDayLight. This may lead to denial of service via table overflow or possibly circumventiagn of controller's control.
Comment 1 Josh Hershberg 2018-01-15 09:53:12 UTC 
Can you please specify how this could cause a DoS? The reconciliation process does push all flows to the switch but it is not additive. After reconciliation the switch will have only the flows that ODL wants it to have and no more. Or am I missing something?
Comment 3 Joshua Padman 2018-01-18 11:49:09 UTC 
Acknowledgments:

Name: Vaibhav Hemant Dixit (Arizona State University)
Comment 4 Garth Mollett 2018-03-14 23:59:45 UTC 
*** Bug 1555473 has been marked as a duplicate of this bug. ***
Comment 5 Sam Fowler 2018-03-19 02:23:26 UTC 
Upstream Issue:

https://jira.opendaylight.org/browse/OPNFLWPLUG-971
Comment 6 Joshua Padman 2019-04-08 10:23:06 UTC 
There is currently no resolution upstream and it seems unlikely there will be a resolution. OpenDaylight was technical preview prior to OpenStack 13 and will be deprecated in OpenStack 14.
Refer to the following URL for more information about the deprecation of OpenDaylight.
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/14/html-single/release_notes/index#deprecated_functionality