CVE-2017-1000411

Name of the Vulnerable Software and Affected Versions OpenFlow Plugin and OpenDayLight Controller versions Nitrogen through Robert Varga

Description The issue arises when multiple 'expired' flows consume the memory resource of the CONFIG DATASTORE, leading to the shutdown of the CONTROLLER. This occurs when multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, causing the expired flows to accumulate and eventually crash the controller once its resource allocations are exceeded. The attack can originate from both north and south bounds, with the south bound attack involving a flow flooding attack that, although unsuccessful in itself, can still lead to a CONTROLLER overflow attack through resource consumption. Despite the network and operational DS being only about 1% occupied, the controller requests excessive resource consumption due to the accumulation of expired flow entries in the CONFIG DS.

Recommendations For OpenFlow Plugin and OpenDayLight Controller versions Nitrogen through Robert Varga, consider restricting access to the Openflow Plugin REST API to minimize the risk of exploitation, and ensure proper resource allocation settings for the JVM to prevent excessive memory consumption. Additionally, monitor the CONFIG DATASTORE for expired flow entries and implement measures to remove them to prevent CONTROLLER shutdown.