https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/SDNINTRFAC-14 sdninterfaceapp <p>#security-status: confirmed</p> <p><ins><font color="#ff0000">Please Note: This issue is a possible security vulnerability, do not discuss outside of this Jira or stage any patches on gerrit until the embargo process reaches that stage.</font></ins><br/>  <br/> I am Feng Xiao and Jianwei Huang, from Wuhan University.<br/> I am writing to report a vulnerability in one of the components of Opendaylight, SDNInterfaceapp (SDNI).<br/> With this bug, attackers can SQL inject the component's database(SQLite)  without authenticating to the controller or SDNInterfaceapp.<br/>  <br/> The bug is in /impl/src/main/java/org/opendaylight/sdninterfaceapp/impl/database/SdniDataBase.java (line 373~391)<br/>  <br/> As we can see, the SDNI concats port information to build an insert SQL query, and it executes the query in SQLite.<br/> However, in line 386, the portName is a string that can be customized by switches. Since SQLite supports multiple sql queries in one run,<br/> attackers can customize the port name to inject another SQL if they compromise or forge a switch.<br/>  <br/> For example, he can set portName as:<br/> ");drop table NAME;//<br/>  </p> SDNINTRFAC-14

SQL injection in the component database(SQLite) without authenticating to the controller or SDNInterfaceapp.

Bug Low Resolved Done Luke Hinds Luke Hinds security Tue, 8 May 2018 08:39:43 +0000 Fri, 18 May 2018 13:07:10 +0000 Fri, 18 May 2018 13:07:10 +0000 0 1 <p>Released as security note, as the SDNI project is no longer maintained.</p> Development Rank 0|i03eef: