CVE-2022-45932 - SQL Injection Vulnerability in OpenDaylight AAA Targeting RoleStore.java

The OpenDaylight (ODL) project, a widely deployed, modular, and extensible open-source platform for Software-Defined Networking (SDN), has been discovered to contain a critical SQL injection vulnerability in its AAA (Authentication, Authorization, and Accounting) module. Assigned CVE identifier CVE-2022-45932, this vulnerability affects ODL versions before .16.5 and targets the aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java deleteRole function.

An attacker could exploit this issue by sending malicious payloads through the API interface /auth/v1/roles/, potentially compromising the confidentiality, integrity, and availability of the affected ODL instance.

Vulnerability Details

Versions affected: OpenDaylight (ODL) up to and including .16.4
Severity: High

The ODL AAA module is responsible for managing user authentication, authorization, and accounting. A critical issue revolves around a lack of input validation in the RoleStore.java deleteRole function when the /auth/v1/roles/ API interface is used.

public void deleteRole(String roleid) {
    try (Connection conn = this.ds.getConnection(); PreparedStatement deleteRole = conn.prepareStatement("DELETE FROM roles WHERE roles.id=?")) {
        deleteRole.setObject(1, roleid);
        int rowcount = deleteRole.executeUpdate();
        conn.commit();
        if (rowcount < 1) {
            throw new SQLException("Role not found");
        }
    } catch (SQLException e) {
        throw new RuntimeException("failed to remove Role " + roleid, e);
    }
}

The code snippet above shows the deleteRole function, which fails to sanitize user input properly. Consequently, an attacker could exploit this by performing an SQL injection attack with a specially crafted payload targeting the vulnerable API endpoint.

Exploit Scenario

The following exploit scenario demonstrates how an attacker might inject malicious SQL code to delete multiple roles or even the entire roles table:

1. The attacker sends an HTTP request to the vulnerable API endpoint: DELETE /auth/v1/roles/{roleId}

The attacker embeds a malicious SQL payload (e.g., 1 OR 1=1) in place of the {roleId} parameter.

3. The server will process the request and execute the injected SQL code, leading to the deletion of an unintended number of roles or the entire roles table.

Remediation

To mitigate this vulnerability, it is recommended to upgrade the OpenDaylight installation to version .16.5 or later by following the official upgrade documentation:

- OpenDaylight Installation Guide

Alternatively, to minimize the risk of exploitation, consider implementing the following security best practices:

- Restrict access to the ODL API endpoints by using proper role-based access control (RBAC) and network segmentation.
- Use secure programming techniques to ensure proper input validation and sanitization, preventing attackers from injecting malicious payloads.

References

- OpenDaylight Project Homepage
- CVE-2022-45932 - NVD
- OpenDaylight AAA Module

Conclusion

CVE-2022-45932 is a high-severity SQL injection vulnerability in OpenDaylight's AAA module, affecting versions before .16.5. Users of affected versions are urged to upgrade their ODL installations and employ best security practices to safeguard their systems.

Timeline

Published on: 11/27/2022 03:15:00 UTC
Last modified on: 11/30/2022 20:43:00 UTC