Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 18 May 2018 14:04:23 +0100
From: Luke Hinds <>
To: oss-security <>
Subject: [opendaylight-security-note]: SDNInterfaceapp SQL injection

OpenDayLight Security Note

cve: CVE-2018-1132


advisory-date: 18/05/18


SQL injection in the component database(SQLite) without authenticating
to the controller or SDNInterfaceapp.


Feng Xiao and Jianwei Huang from Wuhan University discovered a
vulnerability in SDNInterfaceapp (SDNI).

Attackers can SQL inject the component's database(SQLite) without
authenticating to the controller or SDNInterfaceapp.

The bug can be found in
(line 373~391)

The SDNI concats port information to build an insert SQL query, and it
executes the query in SQLite.

However, in line 386, the portName is a string that can be customized by
switches. Since SQLite supports multiple sql queries in one run,
attackers can customize the port name to inject another SQL if they
compromise or forge a switch.

For example, set portName as:
");drop table NAME;//

Recommended Actions

The SDNI project is no longer maintained nor developed since the Carbon
release of OpenDayLight and as the aforementioned vulnerability was
reported after Carbons last service release (SR4) was shipped, the
decision was made to not release a patch.

The security team instead recommends that users upgrade to a later release.

Luke Hinds
OpenDayLight Security Manager

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.