CVE-2018-1078
https://notcve.org/view.php?id=CVE-2018-1078
OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired. OpenDayLight, en versiones Carbon SR3 y anteriores, contiene una vulnerabilidad durante la reconciliación de nodos que puede resultar en flujos de tráfico que deberían estar caducados o deberían hacerlo en breves se reinstalen y resulten en la permisión de tráfico que debería estar caducado. • https://bugzilla.redhat.com/show_bug.cgi?id=1533501 https://jira.opendaylight.org/browse/OPNFLWPLUG-971 • CWE-20: Improper Input Validation •
CVE-2017-1000411
https://notcve.org/view.php?id=CVE-2017-1000411
OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. • http://seclists.org/oss-sec/2018/q1/52 http://www.securityfocus.com/bid/102736 • CWE-404: Improper Resource Shutdown or Release •
CVE-2015-1612
https://notcve.org/view.php?id=CVE-2015-1612
OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to the reuse of LLDP packets, aka "LLDP Relay." Plugin OpenFlow para OpenDaylight en versiones anteriores a Helium SR3 permite a atacantes remotos falsificar la topología SDN y afectar al flujo de datos, relacionados con la reutilización de los paquetes LLDP, también conocido como "LLDP Relay". • http://www.internetsociety.org/sites/default/files/10_4_2.pdf http://www.securityfocus.com/bid/73254 https://cloudrouter.org/security https://git.opendaylight.org/gerrit/#/c/16193 https://git.opendaylight.org/gerrit/#/c/16208 https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-2015-1611_CVE-2015-1612_openflowplugin:_topology_spoofing_via_LLDP • CWE-20: Improper Input Validation •
CVE-2015-1611
https://notcve.org/view.php?id=CVE-2015-1611
OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to "fake LLDP injection." Plugin OpenFlow para OpenDaylight en versiones anteriores a Helium SR3 permite a atacantes remotos falsificar la topología SDN y afectar al flujo de datos, relacionados con "falsa inyección LLDP". • http://www.internetsociety.org/sites/default/files/10_4_2.pdf http://www.securityfocus.com/bid/73254 https://cloudrouter.org/security https://git.opendaylight.org/gerrit/#/c/16193 https://git.opendaylight.org/gerrit/#/c/16208 https://wiki.opendaylight.org/view/Security_Advisories#.5BModerate.5D_CVE-2015-1611_CVE-2015-1612_openflowplugin:_topology_spoofing_via_LLDP • CWE-20: Improper Input Validation •