Denial of Service in OpenDaylight (adding flows). Controller throws an exception and does not allow user to add subsequent flows for a particular switch. From thesis: https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf?sequence=1 Vulnerability 2: The exploit sends several equal REST API requests to add [a flow]. The first requests are successful and the controller returns the transaction ID. After a certain number of successful requests, the controller returns the stack trace of a NullPointerException in the HTTP response. Afterwards, the user is not able to add flows to the same switch, unless the controller is restarted.
Acknowledgments: Name: OpenDaylight project Upstream: Andi Bidaj
Created opendaylight tracking bugs for this issue: Affects: openstack-rdo [bug 1447863]
Mitigation from upstream: https://wiki.opendaylight.org/view/Security_Advisories Ensuring that only restricted users can add flows to devices and that they do not repeatedly add the same flow should minimize or eliminate risk of the attack.
Statement: This issue affects OpenDaylight in Red Hat OpenStack Platform 12.0 (Pike). However, OpenDaylight is only supported in segregated management networks; by default, at worst, this flaw would only be exposed on an admin network. For this reason, Red Hat Product Security has rated this issue as having security impact of Low. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.