[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE request: DoS in ONOS when handling jumbo ethernet frames
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2015-11-26 3:14:56
Message-ID: CANO=Ty33EZoiT=Gr7Qe7RuUUAAa5NacFRcLZWNgadVAX9VEEmA () mail ! gmail ! com
[Download RAW message or body]
On Tue, Nov 24, 2015 at 10:19 AM, David Jorm <david.jorm@gmail.com> wrote:
> It was found that ONOS would throw exceptions when handling jumbo ethernet
> frames. The exceptions were not caught and handled, so a remote
> unauthenticated attacker could use this flaw to perform a denial-of-service
> attack against an ONOS system.
>
> To exploit this issue, the attacker must be able to send a jumbo ethernet
> frame to a switch controlled by ONOS. Only the connection between the
> controller and the switch generating the packet-in message of the malicious
> packet will be affected (disconnected). More details are available here:
>
> https://jira.onosproject.org/browse/ONOS-3349
>
> An advisory is now live with no CVE ID:
>
> https://wiki.onosproject.org/display/ONOS/Security+advisories
>
> Please assign a CVE ID to this issue. A request was sent to MITRE
> directly 9 days ago with no answer. We need a CVE ID within the next 24
> hours.
>
> Thanks
> David Jorm on behalf of the ONOS security response team
>
Adding Mitre to CC to make sure we don't end up with a duplicate.
Please use CVE-2015-7516 for this issue. Happy Thanksgiving all!
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic