Bug 1447185 – CVE-2017-1000357 opendaylight: odl-l2switch-switch feature does not handle closed-stream error

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1447185 - (CVE-2017-1000357) CVE-2017-1000357 opendaylight: odl-l2switch-switch feature does not handle closed-stream error

Summary:	CVE-2017-1000357 opendaylight: odl-l2switch-switch feature does not handle cl...

Status:	CLOSED NOTABUG

Aliases:	CVE-2017-1000357

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20170421,repo...
Keywords:	Security

Depends On:	1447861
Blocks:	1444269
	Show dependency tree / graph

Reported:	2017-05-02 00:50 EDT by Summer Long
Modified:	2017-05-04 01:37 EDT (History)
CC List:	17 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-05-04 01:37:15 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Summer Long 2017-05-02 00:50:47 EDT

Denial of Service attack when the switch rejects receiving packets from the controller. This vulnerability affects OpenDaylight's odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. 

From thesis: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf?sequence=1
Vulnerability 1: The exploit connects to the OpenDaylight controller running in localhost, port 6653, and sends 100 000 OpenFlow hello packets. Afterwards, the sender closes the stream. The controller tries to send a hello packet for each connection, but the malicious script does not receive any data because stream.recv() is missing. The thread that manages the connection with the exploit does not terminate immediately after the stream is closed. As a result, the number of threads of the controller process grows exponentially until it reaches the maximum number of threads allowed in the running machine (around 32000 threads in our case). Subsequently, the controller crashes.

Comment 1 Summer Long 2017-05-02 00:51:08 EDT

External References:

https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf?sequence=1

Comment 2 Summer Long 2017-05-02 00:54:52 EDT

Acknowledgments:

Name: OpenDaylight project

Comment 3 Summer Long 2017-05-04 01:30:49 EDT

Created opendaylight tracking bugs for this issue:

Affects: openstack-rdo [bug 1447861]

Comment 4 Summer Long 2017-05-04 01:34:37 EDT

Statement: 

Because the odl-l2switch-switch feature has never been packaged for Red Hat OpenStack Platform, this flaw does not affect any RHOSP version.

Note You need to log in before you can comment on or make changes to this bug.