[AAA-239] SQL injection in the aaa-idm-store-h2 (deleteRole function) Created: 16/Nov/22 Updated: 03/Dec/22 Due: 30/Nov/22 Resolved: 16/Nov/22 |
|
| Status: | Resolved |
| Project: | aaa |
| Component/s: | None |
| Affects Version/s: | 0.15.0, 0.16.0, 0.15.6, 0.16.4 |
| Fix Version/s: | 0.17.0, 0.16.5, 0.15.8 |
| Type: | Bug | Priority: | Low |
| Reporter: | Han Chunyang | Assignee: | Robert Varga |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | 4 days | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | 2 weeks | ||
| Environment: |
ubuntu22.04, aaa version 0.17.0 |
||
| Description |
|
Hello, I am writing to report a vulnerability in one of the components of Opendaylight, aaa. With this bug, attackers can SQL inject the component's database(SQLite). The bug is in /aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java (deleteRole function). As we can see, the aaa concats roleid information to build a delete SQL query, and it executes the query in SQLite. However, in line 181, the roleid(escaped) is a string. If the user calls the api interface /auth/v1/roles/ to add a malicious role, and then calls the deleteRole function to delete the role, it will cause SQL injection. For example, he can call the api interface /auth/v1/roles/ with POST method, it will call the createRole function to add a user. If the role name is: ' or 1=1--+ Then call the api interface /auth/v1/roles/' or 1=1--+@DOMAIN_ID with DELETE method, it will call the deleteRole function to delete the user. And the SQL query is: DELETE FROM AAA_ROLES WHERE roleid = '' or 1=1—+'@DOMAIN_ID And all the elements in the AAA_ROLES table are removed due to this malicious query. Please consider fixing this security vulnerability as soon as possible.
Best wishes, Chunyang Han |
| Comments |
| Comment by Robert Varga [ 16/Nov/22 ] |
|
Thanks for the report, https://git.opendaylight.org/gerrit/c/aaa/+/103241 should take care of this. |