This page lists all security vulnerabilities fixed in ONOS. Each vulnerability is assigned a security impact rating on a four-point scale (low, moderate, important and critical). The versions that are affected by each vulnerability are also listed.
You can find the template demonstrating the structure of advisories here.
It was found that ONOS allows the upload and execution of applications via the ONOS UI without authentication.
ONOS 1.8.0, 1.9.0 are confirmed to be affected.
https://gerrit.onosproject.org/#/c/13830/
Patches has been committed to 1.8, 1.9, 1.10 and will be included in future builds.
Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)
It was found that ONOS allows the use of websockets without authentication. This allows unauthenticated users to execute the functionalities provided by websocket endpoints.
ONOS 1.8.0, 1.9.0 are confirmed to be affected.
https://gerrit.onosproject.org/#/c/14261/
Patches have been committed to 1.8, 1.9, 1.10 and will be included in future builds.
Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)
It was found that ONOS seems to encounter severe problems with its storage facilities once a valid json with very long strings is uploaded. After posting such a request, ONOS is unable to perform a variety of different tasks (e.g., registering a new device, performing the wipe-out command, etc.).
ONOS 1.8.0, 1.9.0 are confirmed to be affected.
https://gerrit.onosproject.org/#/c/14351/
https://gerrit.onosproject.org/#/c/14466/
Patches have been committed to 1.8, 1.9, 1.10 and will be included in future builds.
Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)
It is possible to add new devices or hosts via the REST interface. It was found that if javascript code is used in the parameters, such as serial, swVersion, hwVersion or manufacturer, it is later executed when a user visits, e.g., the topology in the GUI and clicks on the device-icon.
ONOS 1.8.0, 1.9.0 are confirmed to be affected.
https://gerrit.onosproject.org/#/c/14170/
https://gerrit.onosproject.org/#/c/14182/
Patches have been committed to 1.8, 1.9, 1.10 and will be included in future builds.
Mathias Morbitzer (Fraunhofer AISEC), Johann Vierthaler (Fraunhofer AISEC) in cooperation with Marcel Winandy (Huawei)
It was found that the ONOS core did not properly protect itself from exceptions thrown in application packet processors. Exceptions thrown by applications were not caught and handled, which would result in the relevant switch being disconnected because an exception occurred in an I/O thread. An application could exhibit behavior (either intentionally or unintentionally) which would allow a remote unauthenticated attacker to perform a denial-of-service (DoS) attack by causing ONOS to disconnect switches.
ONOS 1.3.0 Drake is confirmed to be affected.
https://gerrit.onosproject.org/#/c/6137/
A patch has been committed and will be included in a future build.
This issue was reported by Kashyap Thimmaraju (Technische Universität Berlin & T-Labs Berlin), Liron Schiff (Tel Aviv University), and Dr. Stefan Schmid (Technische Universität Berlin & T-Labs Berlin).
It was found that the packet deserializers in ONOS would throw exceptions when handling malformed, truncated or maliciously-crafted packets. The exceptions were not caught and handled, which would result in the relevant switch being disconnected because an exception occurred in an I/O thread. A remote unauthenticated attacker could use this flaw to perform a denial-of-service (DoS) attack by causing ONOS to disconnect switches. See ONOS-605 for more details.
ONOS 1.0.0 Avocet is confirmed to be affected.
https://gerrit.onosproject.org/#/c/2207/
Avocet 1.0.1 contains the fix and this patched build is available here. Release Notes for Avocet 1.0.1 are available here.
This issue was reported by Charles M.C. Chan and Jonathan Hart.