CVE-2019-1010250

Name of the Vulnerable Software and Affected Versions ONOS versions 2.0.0 and earlier

Description The issue is related to poor input validation, which can be exploited by a network administrator or an attacker to install unintended flow rules in the switch. The createFlow() and createFlows() functions in FlowWebResource.java, a RESTful service, are affected. The attack vector is network management and connectivity. This can potentially allow an attacker to arbitrarily modify switch settings.

Recommendations For ONOS versions 2.0.0 and earlier, as a temporary workaround, consider disabling the createFlow() and createFlows() functions in FlowWebResource.java until a patch is available. Restrict access to the FlowWebResource.java module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.