CVE-2019-1010249

Name of the Vulnerable Software and Affected Versions ONOS versions 2.0.0 and earlier

Description The issue is caused by an integer overflow in the createFlow() and createFlows() functions within the FlowWebResource.java file, which is part of the RESTful service. This can allow a network administrator or an attacker to unintentionally install incorrect flow rules in the switch. The attack vector is related to network management and connectivity. Exploitation of this issue may enable an attacker to arbitrarily modify switch settings.

Recommendations For ONOS versions 2.0.0 and earlier, as a temporary workaround, consider disabling the createFlow() and createFlows() functions until a patch is available. Restrict access to the FlowWebResource.java module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.