Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2017-1000411

Опубликовано: 31 янв. 2018
Источник: nvd
CVSS3: 7.5
CVSS2: 5
EPSS Низкий

Описание

OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although, t

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:opendaylight:opendaylight:boron:*:*:*:*:*:*:*
cpe:2.3:a:opendaylight:opendaylight:carbon:*:*:*:*:*:*:*
cpe:2.3:a:opendaylight:opendaylight:nitrogen:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:a:opendaylight:openflow:boron:*:*:*:*:opendaylight:*:*
cpe:2.3:a:opendaylight:openflow:carbon:*:*:*:*:opendaylight:*:*
cpe:2.3:a:opendaylight:openflow:nitrogen:*:*:*:*:opendaylight:*:*

EPSS

Процентиль: 76%
0.00931
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-404

Связанные уязвимости

redhat логотип

CVE-2017-1000411

CVSS3: 5.7
redhat
около 8 лет назад

OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although...

github логотип

GHSA-wrhh-rh53-55jj

CVSS3: 7.5
github
больше 3 лет назад

OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although...

EPSS

Процентиль: 76%
0.00931
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-404