Bug 1576947 (CVE-2018-1132)

Summary: CVE-2018-1132 Opendaylight: SDNInterfaceapp SQL Injection
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, chrisw, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, mkolesni, rbryant, sclewis, security-response-team, slinaber, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:22:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1576948    

Description Pedro Sampaio 2018-05-10 19:47:31 UTC 
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp.

The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)
Comment 1 James Hebden 2018-05-11 04:13:40 UTC 
Audited opendaylight packaging, and we don't include this component in our packages for opendaylight. 

The ODL module implicated in this CVE (org.opendaylight.sdninterfaceapp.*) would only be present on RHOSP OpenDayLight if manually installed via karaf, which is outside of our control.

Reviewing the source code mentioned, input to the SQL query on line 377 is clearly not being sanitised - based on a review of the parameters being included in the SQL query, outside manipulation of these variables seems unlikely, and the difficulty to exploit, high. The parameters in question are being exchanged between federated OpenDayLight installs, so the level of trust required is higher than general network access.

Marking notaffected based on this code not being packaged.
Comment 2 James Hebden 2018-05-22 05:11:07 UTC 
A patch will not be released for this flaw, given the component is not part of RHOSP. The upstream project has made this flaw public, and stated that a patch will not be released due to the component being deprecated from the Carbon release onwards.
Comment 3 James Hebden 2018-05-22 10:47:19 UTC 
Acknowledgments:

Name: Feng Xiao (Wuhan University), Jianwei Huang (Wuhan University)
Comment 4 James Hebden 2018-05-22 10:47:29 UTC 
Statement:

SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not included in the RHOSP package for opendaylight
Comment 5 James Hebden 2018-05-22 10:47:38 UTC 
External References:

https://jira.opendaylight.org/browse/SDNINTRFAC-14