Details
Low Description
Hello,
I am writing to report a vulnerability in one of the components of Opendaylight, aaa.
With this bug, attackers can SQL inject the component's database(SQLite).
The bug is in /aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java (deleteDomain function).
As we can see, the aaa concats domainid information to build a delete SQL query, and it executes the query in SQLite.
However, in line 197, the domainid(escaped) is a string. If the user calls the api interface /auth/v1/domains/ to add a malicious domain, and then calls the deleteDomain function to delete the domain, it will cause SQL injection.
For example, he can call the api interface /auth/v1/domains/ with POST method, it will call the createDomain function to add a domain. If the domain name is:
' or 1=1--+
Then call the api interface /auth/v1/domains/' or 1=1--+ with DELETE method, it will call the deleteDomain function to delete the domain. And the SQL query is:
DELETE FROM AAA_DOMAINS WHERE domainid = ‘’ or 1=1—+’
And all the elements in the AAA_DOMAINS table are removed due to this malicious query.
Please consider fixing this security vulnerability as soon as possible.
Best wishes,
Chunyang Han
Attachments
| # | Subject | Branch | Project | Status | CR | V |
|---|---|---|---|---|---|---|
| 103242,1 | Use prepareStatement() in DomainStore.deleteDomain() | master | aaa | Status: MERGED | +2 | +1 |
| 103247,1 | Use prepareStatement() in DomainStore.deleteDomain() | 0.16.x | aaa | Status: MERGED | +2 | +1 |
| 103271,1 | Use prepareStatement() in DomainStore.deleteDomain() | 0.15.x | aaa | Status: MERGED | +2 | +1 |
