CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2017-1000411
https://notcve.org/view.php?id=CVE-2017-1000411
OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. • http://seclists.org/oss-sec/2018/q1/52 http://www.securityfocus.com/bid/102736 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-1778
https://notcve.org/view.php?id=CVE-2015-1778
The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination. La autenticación personalizada realm utilizada por karaf-tomcat "opendaylight" en Opendaylight antes Helium SR3 autenticará cualquier nombre de usuario y combinación de contraseña. • http://www.openwall.com/lists/oss-security/2015/03/20/3 http://www.securityfocus.com/bid/73255 https://cloudrouter.org/security https://wiki.opendaylight.org/view/Security_Advisories • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2017-1000357
https://notcve.org/view.php?id=CVE-2017-1000357
Denial of Service attack when the switch rejects to receive packets from the controller. Component: This vulnerability affects OpenDaylight odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. Version: OpenDaylight versions 3.3 (Lithium-SR3), 3.4 (Lithium-SR4), 4.0 (Beryllium), 4.1 (Beryllium-SR1), 4.2 (Beryllium-SR2), and 4.4 (Beryllium-SR4) are affected by this flaw. Java version is openjdk version 1.8.0_91. Un ataque de Denegación de Servicio cuando el switch rechaza recibir paquetes desde el controlador. • https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-1000358
https://notcve.org/view.php?id=CVE-2017-1000358
Controller throws an exception and does not allow user to add subsequent flow for a particular switch. Component: OpenDaylight odl-restconf feature contains this flaw. Version: OpenDaylight 4.0 is affected by this flaw. El controlador lanza una excepción y no permite al usuario agregar flujo posterior para un switch en particular. Componente: La característica OpenDaylight odl-restconf contiene este fallo. • https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf • CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2017-1000359
https://notcve.org/view.php?id=CVE-2017-1000359
Java out of memory error and significant increase in resource consumption. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0. Error de falta de memoria en Java y aumento significativo en el consumo de recursos. Componente: OpenDaylight odl-mdsal-xsql es vulnerable a este fallo. • https://aaltodoc.aalto.fi/bitstream/handle/123456789/21584/master_Bidaj_Andi_2016.pdf • CWE-400: Uncontrolled Resource Consumption •