PT-2019-11521 · Open Networking Operating System · Onos

Published

2019-07-22

Updated

2019-07-25

CVE-2019-1010234

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: ONOS versions 1.15.0 and earlier

Description: The issue is related to improper input validation, allowing an attacker to remotely execute commands by sending a malicious HTTP request to the controller. The vulnerable component is the runJavaCompiler method in YangLiveCompilerManager.java. The attack vector is network connectivity.

Recommendations: For versions 1.15.0 and earlier, consider restricting network access to the controller until a fix is available. As a temporary workaround, consider disabling the runJavaCompiler method in YangLiveCompilerManager.java to prevent remote command execution.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2019-1010234

Affected Products

Onos

PT-2019-11521 · Open Networking Operating System · Onos

CVE-2019-1010234

Weakness Enumeration

Related Identifiers

Affected Products

References · 3