OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [CONTROLLER-1187] [SECURITY] Authentication bypass in opendaylight realm CVE-2015-1778 https://jira.opendaylight.org/browse/CONTROLLER-1187 controller <p>Flavio Fernandes reported:</p> <p>Today on Helium (including SR1.1 and SR2) the neutron northbound uses basicAuth.</p> <p>While the rest server (port 8080) will reject an http w/out the auth header, it does not<br/> really check if the username:password provided are valid.</p> <p>Quick way of demonstrating this:</p> <p> curl <a href="http://192.168.50.1:8080/controller/nb/v2/neutron/networks" class="external-link" target="_blank" rel="nofollow noopener">http://192.168.50.1:8080/controller/nb/v2/neutron/networks</a> &lt;== 401, correct<br/> curl -u wrong:bad <a href="http://192.168.50.1:8080/controller/nb/v2/neutron/networks" class="external-link" target="_blank" rel="nofollow noopener">http://192.168.50.1:8080/controller/nb/v2/neutron/networks</a> &lt;== 200, bad!</p> <p>Please make sure that security issue is taken care of.</p> <p>Note this is not an issue in Lithium codebase, once we changed to jetty. I did not try Hydrogen.</p> <p>David Jorm investigated and found the offending code:</p> <p><a href="https://github.com/opendaylight/controller/blob/stable/helium/opendaylight/karaf-tomcat-security/src/main/java/org/opendaylight/controller/karafsecurity/ControllerCustomRealm.java#L40" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/opendaylight/controller/blob/stable/helium/opendaylight/karaf-tomcat-security/src/main/java/org/opendaylight/controller/karafsecurity/ControllerCustomRealm.java#L40</a></p> <p>This will accept any username/password combination. If I change line 40 to "return null;" and recompile, then no username/password combination is accepted. It appears that the "opendaylight" realm (which uses this custom realm class) is widely used by several interfaces. I think a patch should drop the custom realm class and use UserDatabaseRealm or similar instead.</p> <p>Colin Dixon is now working on a patch, targeting the SR3 release.</p> <p>Operating System: All<br/> Platform: All</p> CONTROLLER-1187 [SECURITY] Authentication bypass in opendaylight realm CVE-2015-1778 Bug Resolved Done David Jorm David Jorm Mon, 9 Mar 2015 00:42:56 +0000 Sat, 14 Mar 2015 00:48:14 +0000 Sat, 14 Mar 2015 00:48:14 +0000 Helium usermanager 0 1 <p>Proposed patch for stable/helium: <a href="https://git.opendaylight.org/gerrit/#/c/16307/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/16307/</a></p> <p>The patch has been merged, and will be included in the SR3 release.</p> Development External issue ID 2798 External issue URL Issue Type ODL SR Target Milestone Priority Rank 0|i02p0v: