Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 24 Nov 2015 09:19:33 -0800
From: David Jorm <david.jorm@...il.com>
To: oss-security@...ts.openwall.com
Cc: Kurt Seifried <kseifried@...hat.com>
Subject: CVE request: DoS in ONOS when handling jumbo ethernet frames

It was found that ONOS would throw exceptions when handling jumbo ethernet
frames. The exceptions were not caught and handled, so a remote
unauthenticated attacker could use this flaw to perform a denial-of-service
attack against an ONOS system.

To exploit this issue, the attacker must be able to send a jumbo ethernet
frame to a switch controlled by ONOS. Only the connection between the
controller and the switch generating the packet-in message of the malicious
packet will be affected (disconnected). More details are available here:

https://jira.onosproject.org/browse/ONOS-3349

An advisory is now live with no CVE ID:

https://wiki.onosproject.org/display/ONOS/Security+advisories

Please assign a CVE ID to this issue. A request was sent to MITRE directly
9 days ago with no answer. We need a CVE ID within the next 24 hours.

Thanks
David Jorm on behalf of the ONOS security response team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.