CVE-2018-1000616

Name of the Vulnerable Software and Affected Versions ONOS controller version 1.13.1 and earlier

Description The issue is related to a XML External Entity (XXE) vulnerability in the loadxml() function of XmlConfigParser.java. This vulnerability can be exploited remotely via network connectivity, allowing an adversary to launch XXE attacks on the ONOS controller through an OpenConfig Terminal Device.

Recommendations For ONOS controller version 1.13.1 and earlier, consider disabling the loadxml() function in XmlConfigParser.java as a temporary workaround until a patch is available. Restrict access to the ONOS controller via network connectivity to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.