[AAA-40] [SECURITY] SQLite: memory corruption leading to DoS and possible code execution CVE-2015-3414 and CVE-2015-3416 Created: 24/Jun/15 Updated: 21/Mar/19 Resolved: 25/Jun/15 |
|
| Status: | Resolved |
| Project: | aaa |
| Component/s: | General |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | David Jorm | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 3856 |
| Description |
|
The Helium release of AAA uses SQL statements prepared using string concatenation of user-supplied variables. This theoretically exposes an SQL injection vulnerability, but testing has revealed no cases that could cross a trust boundary and be useful to an attacker. However, as a result of allowing users to directly manipulate SQL statements, AAA exposes two underlying vulnerabilities in SQLite: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3414 Another vulnerability in SQLite was also reported: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3415 But AAA does not expose this vulnerability, because it relies on injection of DDL and AAA only allows an attacker to inject DML. To resolve these vulnerabilities, we need to either switch to using prepared statements, or upgrade SQLite to a patched version, preferably both. The Lithium release uses prepared statements and is not vulnerable. |
| Comments |
| Comment by David Jorm [ 24/Jun/15 ] |
|
Patch upgrading SQLite: https://git.opendaylight.org/gerrit/#/c/23216/ |
| Comment by Ryan Goulding [ 25/Jun/15 ] |
|
The following resolves the PreparedStatements issue: |