1533501 – (CVE-2018-1078) CVE-2018-1078 opendaylight: Insecure behavior in node reconciliation process

Bug 1533501 (CVE-2018-1078) - CVE-2018-1078 opendaylight: Insecure behavior in node reconciliation process

Summary: CVE-2018-1078 opendaylight: Insecure behavior in node reconciliation process

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-1078
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1555473 (view as bug list)
Depends On:
Blocks:	1530427 1533502 1555485
TreeView+	depends on / blocked

Reported:	2018-01-11 14:13 UTC by Pedro Sampaio
Modified:	2021-02-17 01:00 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that all flows, including active and inactive, in the config datastore are installed back in the switch upon reconnection, as part of the node reconciliation process in OpenDayLight. This may lead to denial of service via table overflow or possibly circumventing of the controller's control.
Clone Of:
Environment:
Last Closed:	2019-04-08 10:23:06 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2018-01-11 14:13:01 UTC

It was found that all the flows, including active and inactive, in the config datastore are installed back in switch upon reconnection, as part of the node reconciliation process in OpenDayLight. This may lead to denial of service via table overflow or possibly circumventiagn of controller's control.

Comment 1 Josh Hershberg 2018-01-15 09:53:12 UTC

Can you please specify how this could cause a DoS? The reconciliation process does push all flows to the switch but it is not additive. After reconciliation the switch will have only the flows that ODL wants it to have and no more. Or am I missing something?

Comment 3 Joshua Padman 2018-01-18 11:49:09 UTC

Acknowledgments:

Name: Vaibhav Hemant Dixit (Arizona State University)

Comment 4 Garth Mollett 2018-03-14 23:59:45 UTC

*** Bug 1555473 has been marked as a duplicate of this bug. ***

Comment 5 Sam Fowler 2018-03-19 02:23:26 UTC

Upstream Issue:

https://jira.opendaylight.org/browse/OPNFLWPLUG-971

Comment 6 Joshua Padman 2019-04-08 10:23:06 UTC

There is currently no resolution upstream and it seems unlikely there will be a resolution. OpenDaylight was technical preview prior to OpenStack 13 and will be deprecated in OpenStack 14.
Refer to the following URL for more information about the deprecation of OpenDaylight.
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/14/html-single/release_notes/index#deprecated_functionality

Note You need to log in before you can comment on or make changes to this bug.