[AAA-239] SQL injection in the aaa-idm-store-h2 (deleteRole function)

Sat, 3 Dec 2022 01:18:41 +0000

Hello,

I am writing to report a vulnerability in one of the components of Opendaylight, aaa.

With this bug, attackers can SQL inject the component's database(SQLite).

The bug is in /aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java (deleteRole function).

As we can see, the aaa concats roleid information to build a delete SQL query, and it executes the query in SQLite.

However, in line 181, the roleid(escaped) is a string. If the user calls the api interface /auth/v1/roles/ to add a malicious role, and then calls the deleteRole function to delete the role, it will cause SQL injection.

For example, he can call the api interface /auth/v1/roles/ with POST method, it will call the createRole function to add a user. If the role name is:

' or 1=1--+

Then call the api interface /auth/v1/roles/' or 1=1--+@DOMAIN_ID with DELETE method, it will call the deleteRole function to delete the user. And the SQL query is:

DELETE FROM AAA_ROLES WHERE roleid = '' or 1=1—+'@DOMAIN_ID

And all the elements in the AAA_ROLES table are removed due to this malicious query.

Please consider fixing this security vulnerability as soon as possible.

Best wishes,

Chunyang Han

OpenDaylight JIRA

[AAA-239] SQL injection in the aaa-idm-store-h2 (deleteRole function)