CVE-2018-1000155

Опубликовано: 09 мая 2018

Источник: redhat

CVSS3: 5.9

EPSS Низкий

Описание

OpenFlow version 1.0 onwards contains a Denial of Service and Improper authorization vulnerability in OpenFlow handshake: The DPID (DataPath IDentifier) in the features_reply message are inherently trusted by the controller. that can result in Denial of Service, Unauthorized Access, Network Instability. This attack appear to be exploitable via Network connectivity: the attacker must first establish a transport connection with the OpenFlow controller and then initiate the OpenFlow handshake.

Меры по смягчению последствий

Enable TLS in OpenFlow plugin. Upstream documentation is a useful resource. https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat OpenStack Platform 10 (Newton)	opendaylight	Will not fix
Red Hat OpenStack Platform 11 (Ocata)	opendaylight	Will not fix
Red Hat OpenStack Platform 12 (Pike)	opendaylight	Will not fix
Red Hat OpenStack Platform 13 (Queens)	opendaylight	Will not fix
Red Hat OpenStack Platform 8 (Liberty)	opendaylight	Will not fix
Red Hat OpenStack Platform 9 (Mitaka)	opendaylight	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-287

https://bugzilla.redhat.com/show_bug.cgi?id=1578652openflow: Denial of Service, Improper Authentication and Authorization, and Covert Channel in the OpenFlow handshake

EPSS

Процентиль: 64%

0.00475

Низкий

5.9 Medium

CVSS3

Связанные уязвимости

CVE-2018-1000155

CVSS3: 9.8

nvd

больше 7 лет назад

GHSA-7m23-pgp9-jvm2