Bug 1576947 (CVE-2018-1132) - CVE-2018-1132 Opendaylight: SDNInterfaceapp SQL Injection
Summary: CVE-2018-1132 Opendaylight: SDNInterfaceapp SQL Injection
Status: CLOSED NOTABUG
Alias: CVE-2018-1132
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20180519,reported=2...
Keywords: Security
Depends On:
Blocks: 1576948
TreeView+ depends on / blocked
 
Reported: 2018-05-10 19:47 UTC by Pedro Sampaio
Modified: 2019-06-11 11:13 UTC (History)
15 users (show)

(edit)
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database (SQLite) without authenticating to the controller or SDNInterfaceapp.
Clone Of:
(edit)
Last Closed: 2019-06-10 10:22:40 UTC


Attachments (Terms of Use)

Description Pedro Sampaio 2018-05-10 19:47:31 UTC
A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp.

The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)

Comment 1 James Hebden 2018-05-11 04:13:40 UTC
Audited opendaylight packaging, and we don't include this component in our packages for opendaylight. 

The ODL module implicated in this CVE (org.opendaylight.sdninterfaceapp.*) would only be present on RHOSP OpenDayLight if manually installed via karaf, which is outside of our control.

Reviewing the source code mentioned, input to the SQL query on line 377 is clearly not being sanitised - based on a review of the parameters being included in the SQL query, outside manipulation of these variables seems unlikely, and the difficulty to exploit, high. The parameters in question are being exchanged between federated OpenDayLight installs, so the level of trust required is higher than general network access.

Marking notaffected based on this code not being packaged.

Comment 2 James Hebden 2018-05-22 05:11:07 UTC
A patch will not be released for this flaw, given the component is not part of RHOSP. The upstream project has made this flaw public, and stated that a patch will not be released due to the component being deprecated from the Carbon release onwards.

Comment 3 James Hebden 2018-05-22 10:47:19 UTC
Acknowledgments:

Name: Feng Xiao (Wuhan University), Jianwei Huang (Wuhan University)

Comment 4 James Hebden 2018-05-22 10:47:29 UTC
Statement:

SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not included in the RHOSP package for opendaylight

Comment 5 James Hebden 2018-05-22 10:47:38 UTC
External References:

https://jira.opendaylight.org/browse/SDNINTRFAC-14


Note You need to log in before you can comment on or make changes to this bug.