Date: Wed, 25 Nov 2015 20:14:56 -0700 From: Kurt Seifried <kseifried@...hat.com> To: David Jorm <david.jorm@...il.com> Cc: oss-security <oss-security@...ts.openwall.com>, CVE ID Requests <cve-assign@...re.org> Subject: Re: CVE request: DoS in ONOS when handling jumbo ethernet frames On Tue, Nov 24, 2015 at 10:19 AM, David Jorm <david.jorm@...il.com> wrote: > It was found that ONOS would throw exceptions when handling jumbo ethernet > frames. The exceptions were not caught and handled, so a remote > unauthenticated attacker could use this flaw to perform a denial-of-service > attack against an ONOS system. > > To exploit this issue, the attacker must be able to send a jumbo ethernet > frame to a switch controlled by ONOS. Only the connection between the > controller and the switch generating the packet-in message of the malicious > packet will be affected (disconnected). More details are available here: > > https://jira.onosproject.org/browse/ONOS-3349 > > An advisory is now live with no CVE ID: > > https://wiki.onosproject.org/display/ONOS/Security+advisories > > Please assign a CVE ID to this issue. A request was sent to MITRE > directly 9 days ago with no answer. We need a CVE ID within the next 24 > hours. > > Thanks > David Jorm on behalf of the ONOS security response team > Adding Mitre to CC to make sure we don't end up with a duplicate. Please use CVE-2015-7516 for this issue. Happy Thanksgiving all! -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ