[AAA-40] [SECURITY] SQLite: memory corruption leading to DoS and possible code execution CVE-2015-3414 and CVE-2015-3416 - OpenDaylight JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Resolution: Done
Affects Version/s: None
Fix Version/s: None
Component/s: General
Labels:
None
Environment:

Operating System: All
Platform: All

External issue ID:
3856

Description

The Helium release of AAA uses SQL statements prepared using string concatenation of user-supplied variables. This theoretically exposes an SQL injection vulnerability, but testing has revealed no cases that could cross a trust boundary and be useful to an attacker. However, as a result of allowing users to directly manipulate SQL statements, AAA exposes two underlying vulnerabilities in SQLite:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3416

Another vulnerability in SQLite was also reported:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415

But AAA does not expose this vulnerability, because it relies on injection of DDL and AAA only allows an attacker to inject DML.

To resolve these vulnerabilities, we need to either switch to using prepared statements, or upgrade SQLite to a patched version, preferably both. The Lithium release uses prepared statements and is not vulnerable.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Unassigned

Reporter:: David Jorm

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Jun/15 11:06 PM

Updated:: 21/Mar/19 11:56 AM

Resolved:: 25/Jun/15 5:25 PM