Miggo Logo
Miggo Vulnerability Database
CVE-2024-46942

CVE-2024-46942: OpenDaylight Model-Driven Service Abstraction Layer (MD-SAL) allows follower controller to set up flow entries

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-46942
GHSA ID
GHSA-hv38-h5pj-c96j
EPSS Score
0.11061%
CWE
CWE-285
Published
9/16/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.opendaylight.mdsal:mdsal-artifactsmaven<= 13.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper authorization (CWE-285) in MD-SAL's cluster role enforcement. Analysis suggests: 1) DataBroker.commit() is central to datastore modifications and would require leader role validation 2) RPC registration mechanisms appear to lack proper role checks based on the arXiv paper's description of control plane manipulation. While exact code references are unavailable, these components handle critical write operations and RPC services that align with the described attack vector. Confidence is medium due to the indirect evidence from vulnerability descriptions and architectural understanding of OpenDaylight's MD-SAL components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Op*n**yli**t Mo**l-*riv*n S*rvi** **str**tion L*y*r (M*-S*L) t*rou** **.*.*, * *ontroll*r wit* * *ollow*r rol* **n *on*i*ur* *low *ntri*s in *n Op*n**yli**t *lust*rin* **ploym*nt.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ut*oriz*tion (*W*-***) in M*-S*L's *lust*r rol* *n*or**m*nt. *n*lysis su***sts: *) `**t**rok*r.*ommit()` is **ntr*l to **t*stor* mo*i*i**tions *n* woul* r*quir* l****r rol* v*li**tion *) RP* r**istr*tion m****ni