CVE CyberSecurity Database News

CVE-2022-45932 - SQL Injection in OpenDaylight AAA - How It Works, Exploit Details, and In-Depth Explanation

Poster -

If you're using OpenDaylight (ODL)—an open source platform popular for software-defined networking—you should pay attention to CVE-2022-45932. This vulnerability affects the OpenDaylight AAA (Authentication, Authorization, and Accounting) component before version .16.5. In this article, we break down the problem, show you the vulnerable code, how attackers can exploit it, and what you should do to stay protected.

What is CVE-2022-45932?

CVE-2022-45932 is a SQL Injection vulnerability discovered in the function deleteRole of the file RoleStore.java in the OpenDaylight AAA module. Attackers can exploit this issue through the /auth/v1/roles/ API interface. With a carefully crafted request, an attacker can run arbitrary SQL commands on your server.

Brief summary from MITRE CVE database:
> A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before .16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java deleteRole function is affected when the API interface /auth/v1/roles/ is used.

Getting Into the Code

Below is the vulnerable part of source code. The key problem is that user input goes directly into the SQL statement, without proper validation or sanitization:

// (From RoleStore.java)
public void deleteRole(String roleId) throws StoreException {
    String sql = "DELETE FROM ROLES WHERE roleid = '" + roleId + "'";
    try (Connection conn = getConnection();
         Statement st = conn.createStatement()) {
        st.executeUpdate(sql);
    } catch (SQLException e) {
        throw new StoreException("Delete failed", e);
    }
}

What’s the problem?

- The roleId variable comes directly from user input via /auth/v1/roles/ API.

The user input is concatenated into the SQL statement without any escaping.

- Any special characters (like ' or ;) can break the query structure, letting an attacker inject their own SQL commands.

Suppose an attacker sends the following request to your API

DELETE /auth/v1/roles/123' OR '1'='1

The constructed SQL becomes

DELETE FROM ROLES WHERE roleid = '123' OR '1'='1'

- If the database executes this, all records in the table ROLES might be deleted (because '1'='1' is always true)!
- Attackers can potentially delete all roles, or even chain this with more dangerous payloads, depending on database setup.

More Aggressive Payload

Why stop at deleting everything? Suppose an attacker wants to leak data instead. Let’s try appending more SQL (this example's success depends on your exact DBMS and security settings):

DELETE /auth/v1/roles/123'; SELECT * FROM USERS; --

This can execute a second, malicious SQL command if the database allows multiple statements (often a configuration setting).

Note: This level of chaining might be blocked by database-specific settings (such as allowMultiQueries in MySQL), but the basic DELETE/WHERE bypass will almost always work.

Why This Matters

SQL Injection is one of the most severe vulnerabilities in web development. If attackers control your AAA (identity) database, they can potentially:

How to Fix It

The best way to fix SQL Injection vulnerabilities is never build SQL queries by concatenating user input. Instead, always use parameterized queries (also known as prepared statements). Here’s how you should rewrite the function:

public void deleteRole(String roleId) throws StoreException {
    String sql = "DELETE FROM ROLES WHERE roleid = ?";
    try (Connection conn = getConnection();
         PreparedStatement pst = conn.prepareStatement(sql)) {
        pst.setString(1, roleId);
        pst.executeUpdate();
    } catch (SQLException e) {
        throw new StoreException("Delete failed", e);
    }
}

Why is this safe?
The PreparedStatement ensures roleId is treated only as a value, not as part of the SQL code—even if it contains quotes or other weird characters.

Original References

- OpenDaylight Security Advisory: ODL-SEC-2022-08 SQL Injection Vulnerability
- OpenDaylight Issue Tracker: AAA SQL Injection
- Source code on GitHub (vulnerable version)
- Common bug description on cvedetails.com

Always use prepared statements in Java (or equivalent mechanisms in other languages).

Remember: SQL injection is preventable—but it takes discipline and awareness.

Want to Learn More?

- OWASP SQL Injection Cheat Sheet
- Java Prepared statements and SQL injection
- OpenDaylight Security Process

Stay safe and always keep your software up to date!

*Exclusive content by ChatGPT, breaking down CVE-2022-45932 for real-world developers and sysadmins.*

Timeline

Published on: 11/27/2022 03:15:00 UTC
Last modified on: 11/30/2022 20:43:00 UTC