Bug 1576947 (CVE-2018-1132)
Summary: | CVE-2018-1132 Opendaylight: SDNInterfaceapp SQL Injection | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | apevec, chrisw, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, mkolesni, rbryant, sclewis, security-response-team, slinaber, tdecacqu |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:22:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1576948 |
Description
Pedro Sampaio
2018-05-10 19:47:31 UTC
Audited opendaylight packaging, and we don't include this component in our packages for opendaylight. The ODL module implicated in this CVE (org.opendaylight.sdninterfaceapp.*) would only be present on RHOSP OpenDayLight if manually installed via karaf, which is outside of our control. Reviewing the source code mentioned, input to the SQL query on line 377 is clearly not being sanitised - based on a review of the parameters being included in the SQL query, outside manipulation of these variables seems unlikely, and the difficulty to exploit, high. The parameters in question are being exchanged between federated OpenDayLight installs, so the level of trust required is higher than general network access. Marking notaffected based on this code not being packaged. A patch will not be released for this flaw, given the component is not part of RHOSP. The upstream project has made this flaw public, and stated that a patch will not be released due to the component being deprecated from the Carbon release onwards. Acknowledgments: Name: Feng Xiao (Wuhan University), Jianwei Huang (Wuhan University) Statement: SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not included in the RHOSP package for opendaylight External References: https://jira.opendaylight.org/browse/SDNINTRFAC-14 |