Date: Fri, 18 May 2018 14:04:23 +0100 From: Luke Hinds <lhinds@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: [opendaylight-security-note]: SDNInterfaceapp SQL injection OpenDayLight Security Note cve: CVE-2018-1132 jira: https://jira.opendaylight.org/browse/SDNINTRFAC-14 advisory-date: 18/05/18 Summary ------- SQL injection in the component database(SQLite) without authenticating to the controller or SDNInterfaceapp. Discussion ---------- Feng Xiao and Jianwei Huang from Wuhan University discovered a vulnerability in SDNInterfaceapp (SDNI). Attackers can SQL inject the component's database(SQLite) without authenticating to the controller or SDNInterfaceapp. The bug can be found in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391) The SDNI concats port information to build an insert SQL query, and it executes the query in SQLite. However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run, attackers can customize the port name to inject another SQL if they compromise or forge a switch. For example, set portName as: ");drop table NAME;// Recommended Actions ------------------- The SDNI project is no longer maintained nor developed since the Carbon release of OpenDayLight and as the aforementioned vulnerability was reported after Carbons last service release (SR4) was shipped, the decision was made to not release a patch. The security team instead recommends that users upgrade to a later release. Luke Hinds OpenDayLight Security Manager Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.