A flaw was found in Opendaylight's SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp.
The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)
Audited opendaylight packaging, and we don't include this component in our packages for opendaylight.
The ODL module implicated in this CVE (org.opendaylight.sdninterfaceapp.*) would only be present on RHOSP OpenDayLight if manually installed via karaf, which is outside of our control.
Reviewing the source code mentioned, input to the SQL query on line 377 is clearly not being sanitised - based on a review of the parameters being included in the SQL query, outside manipulation of these variables seems unlikely, and the difficulty to exploit, high. The parameters in question are being exchanged between federated OpenDayLight installs, so the level of trust required is higher than general network access.
Marking notaffected based on this code not being packaged.
A patch will not be released for this flaw, given the component is not part of RHOSP. The upstream project has made this flaw public, and stated that a patch will not be released due to the component being deprecated from the Carbon release onwards.
Name: Feng Xiao (Wuhan University), Jianwei Huang (Wuhan University)
SDNInterface has been deprecated in OpenDayLight since it was last used in the final Carbon series release. In addition to the component not being included in OpenDayLight in newer releases, the SDNInterface component is not included in the RHOSP package for opendaylight