{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2017-12-27T00:00:00", "datePublic": "2018-01-16T00:00:00", "descriptions": [{"lang": "en", "value": "OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although, the network (actual flow tables) and operational DS are only (~)1% occupied, the controller requests for resource consumption. This happens because the installed flows get removed from the network upon timeout."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-02-01T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20180116 opendaylight-advisory: Multiple \"expired\" flows consume the memory resource of CONFIG DS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2018/q1/52"}, {"name": "102736", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102736"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2017-12-27", "ID": "CVE-2017-1000411", "REQUESTER": "lhinds@redhat.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although, the network (actual flow tables) and operational DS are only (~)1% occupied, the controller requests for resource consumption. This happens because the installed flows get removed from the network upon timeout."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20180116 opendaylight-advisory: Multiple \"expired\" flows consume the memory resource of CONFIG DS", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2018/q1/52"}, {"name": "102736", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102736"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:00:41.233Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20180116 opendaylight-advisory: Multiple \"expired\" flows consume the memory resource of CONFIG DS", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2018/q1/52"}, {"name": "102736", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/102736"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000411", "datePublished": "2018-01-31T14:00:00", "dateReserved": "2017-12-28T00:00:00", "dateUpdated": "2024-08-05T22:00:41.233Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opendaylight:opendaylight:boron:*:*:*:*:*:*:*", "matchCriteriaId": "29365419-EF46-48C0-B986-A7433BED2C23", "vulnerable": true}, {"criteria": "cpe:2.3:a:opendaylight:opendaylight:carbon:*:*:*:*:*:*:*", "matchCriteriaId": "84FF78D8-7F1C-4327-B6E6-B2D06ED6B7B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:opendaylight:opendaylight:nitrogen:*:*:*:*:*:*:*", "matchCriteriaId": "A724686D-14A6-4405-8E88-36F132EE409E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opendaylight:openflow:boron:*:*:*:*:opendaylight:*:*", "matchCriteriaId": "581C9FFB-16ED-4F7C-ACBF-F33ACAB47DE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:opendaylight:openflow:carbon:*:*:*:*:opendaylight:*:*", "matchCriteriaId": "ECF06E9B-C2A2-4298-A981-590ED038C3FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:opendaylight:openflow:nitrogen:*:*:*:*:opendaylight:*:*", "matchCriteriaId": "7426B108-9C5C-4983-ABBA-F0285C6C1213", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although, the network (actual flow tables) and operational DS are only (~)1% occupied, the controller requests for resource consumption. This happens because the installed flows get removed from the network upon timeout."}, {"lang": "es", "value": "OpenFlow Plugin y OpenDayLight Controller, en versiones Nitrogen, Carbon, Boron, Robert Varga y Anil Vishnoi, contienen un error cuando m\u00faltiples flujos \"expirados\" consumen los recursos de memoria de CONFIG DATASTORE, lo que conduce a un cierre de CONTROLLER. Si se env\u00edan m\u00faltiples flujos diferentes con \"idle-timeout\" y \"hard-timeout\" a la API REST de Openflow Plugin, los flujos expirados acabar\u00e1n cerrando el controlador inesperadamente una vez se excedan as asignaciones de memoria establecidas con el tama\u00f1o de la m\u00e1quina virtual Java. Aunque los flujos instalados (con tiempo de espera establecido) se eliminan de la red (y, por lo tanto, tambi\u00e9n del DS de operaciones del controlador), las entradas expiradas siguen presentes en CONFIG DS. El ataque puede surgir tanto de una vertical de arriba como de abajo. La descripci\u00f3n anterior corresponde a un ataque desde arriba. Puede darse un ataque desde abajo cuando un atacante intenta realizar una inundaci\u00f3n de flujos y, ya que los flujos incluyen tiempos de espera, el ataque no tiene \u00e9xito. Sin embargo, el atacante s\u00ed tendr\u00e1 \u00e9xito en un ataque de desbordamiento de CONTROLLER (consumo de recursos). Aunque el DS de red (las tablas de flujo) y de operaciones solo est\u00e1 ocupado en un 1% aproximadamente, el controlador pide consumo de recursos. Esto ocurre debido a que los flujos instalados se eliminan de la red una vez ha pasado el tiempo de espera."}], "id": "CVE-2017-1000411", "lastModified": "2024-11-21T03:04:40.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-31T14:29:00.420", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2018/q1/52"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102736"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/oss-sec/2018/q1/52"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102736"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Vaibhav Hemant Dixit for reporting this issue.", "bugzilla": {"description": "opendaylight: Controller denial-of-service due to \"expired\" flows taking up the memory resource of CONFIG DS", "id": "1519845", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1519845"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although, the network (actual flow tables) and operational DS are only (~)1% occupied, the controller requests for resource consumption. This happens because the installed flows get removed from the network upon timeout.", "Multiple \"expired\" flows consume memory resources of CONFIG DS which leads to Controller shutdown."], "name": "CVE-2017-1000411", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2018-01-16T15:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000411\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000411\nhttps://lists.opendaylight.org/pipermail/opendaylight-announce/2018-January/000027.html"], "statement": "OpenDaylight was released as a technical preview in Red Hat Openstack Platform versions 12 and under. Additionally, upstream have released an advisory outlining recommended actions, they will not be patching against this Denial of Service vector.", "threat_severity": "Moderate"}