#security-status: confirmed

Please Note: This issue is a possible security vulnerability, do not discuss outside of this Jira or stage any patches on gerrit until the embargo process reaches that stage.
 
I am Feng Xiao and Jianwei Huang, from Wuhan University.
I am writing to report a vulnerability in one of the components of Opendaylight, SDNInterfaceapp (SDNI).
With this bug, attackers can SQL inject the component's database(SQLite)  without authenticating to the controller or SDNInterfaceapp.
 
The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)
 
As we can see, the SDNI concats port information to build an insert SQL query, and it executes the query in SQLite.
However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run,
attackers can customize the port name to inject another SQL if they compromise or forge a switch.
 
For example, he can set portName as:
");drop table NAME;//