{"containers": {"cna": {"affected": [{"product": "OpenDayLight", "vendor": "OpenDayLight", "versions": [{"status": "affected", "version": "Carbon SR3"}]}], "dateAssigned": "2018-03-14T00:00:00", "datePublic": "2018-01-18T00:00:00", "descriptions": [{"lang": "en", "value": "OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-03-20T13:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1533501"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jira.opendaylight.org/browse/OPNFLWPLUG-971"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:48.375Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1533501"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jira.opendaylight.org/browse/OPNFLWPLUG-971"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-1078", "datePublished": "2018-03-16T20:00:00", "dateReserved": "2017-12-04T00:00:00", "dateUpdated": "2024-08-05T03:51:48.375Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opendaylight:openflow:*:*:*:*:*:opendaylight:*:*", "matchCriteriaId": "D4A8BF0D-789C-4D5D-B8CF-662DCA292260", "versionEndIncluding": "carbon", "vulnerable": true}, {"criteria": "cpe:2.3:a:opendaylight:openflow:sp1:*:*:*:*:opendaylight:*:*", "matchCriteriaId": "AC3015BD-500C-4D8A-9C09-177C9D088F15", "vulnerable": true}, {"criteria": "cpe:2.3:a:opendaylight:openflow:sp2:*:*:*:*:opendaylight:*:*", "matchCriteriaId": "E5E2B666-81F4-4030-B717-775B6C96AE68", "vulnerable": true}, {"criteria": "cpe:2.3:a:opendaylight:openflow:sp3:*:*:*:*:opendaylight:*:*", "matchCriteriaId": "25C9A05F-EBD0-416E-9EA5-89C4292BCA24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired."}, {"lang": "es", "value": "OpenDayLight, en versiones Carbon SR3 y anteriores, contiene una vulnerabilidad durante la reconciliaci\u00f3n de nodos que puede resultar en flujos de tr\u00e1fico que deber\u00edan estar caducados o deber\u00edan hacerlo en breves se reinstalen y resulten en la permisi\u00f3n de tr\u00e1fico que deber\u00eda estar caducado."}], "id": "CVE-2018-1078", "lastModified": "2024-11-21T03:59:07.970", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-16T20:29:00.383", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Not Applicable"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1533501"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://jira.opendaylight.org/browse/OPNFLWPLUG-971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Not Applicable"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1533501"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jira.opendaylight.org/browse/OPNFLWPLUG-971"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Vaibhav Hemant Dixit (Arizona State University) for reporting this issue.", "bugzilla": {"description": "opendaylight: Insecure behavior in node reconciliation process", "id": "1533501", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1533501"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-665", "details": ["OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired.", "It was found that all flows, including active and inactive, in the config datastore are installed back in the switch upon reconnection, as part of the node reconciliation process in OpenDayLight. This may lead to denial of service via table overflow or possibly circumventing of the controller's control."], "name": "CVE-2018-1078", "package_state": [{"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:openstack:8", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 8 (Liberty)"}, {"cpe": "cpe:/a:redhat:openstack:9", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 9 (Mitaka)"}], "public_date": "2018-03-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1078\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1078"], "threat_severity": "Moderate"}