Vaibhav Hemant Dixit

**Name of the Vulnerable Software and Affected Versions** OpenDayLight versions Carbon SR3 and earlier **Description** The issue occurs during node reconciliation, causing traffic flows that should be expired or should expire shortly to be re-installed, with their timers reset. This results in traffic being allowed that should be expired. **Recommendations** For OpenDayLight versions Carbon SR3 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenFlow Plugin and OpenDayLight Controller versions Nitrogen through Robert Varga **Description** The issue arises when multiple 'expired' flows consume the memory resource of the CONFIG DATASTORE, leading to the shutdown of the CONTROLLER. This occurs when multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, causing the expired flows to accumulate and eventually crash the controller once its resource allocations are exceeded. The attack can originate from both north and south bounds, with the south bound attack involving a flow flooding attack that, although unsuccessful in itself, can still lead to a CONTROLLER overflow attack through resource consumption. Despite the network and operational DS being only about 1% occupied, the controller requests excessive resource consumption due to the accumulation of expired flow entries in the CONFIG DS. **Recommendations** For OpenFlow Plugin and OpenDayLight Controller versions Nitrogen through Robert Varga, consider restricting access to the Openflow Plugin REST API to minimize the risk of exploitation, and ensure proper resource allocation settings for the JVM to prevent excessive memory consumption. Additionally, monitor the CONFIG DATASTORE for expired flow entries and implement measures to remove them to prevent CONTROLLER shutdown.