CVE-2020-35213

Vulnerability

An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node [1]. The affected component is the link event processing logic in this specific version of Atomix, a Kubernetes toolkit for building distributed applications [2]. The code path is reachable when an attacker can send crafted link event messages to a master ONOS node running the vulnerable Atomix library.

Exploitation

An attacker requires network access to send false link event messages to a master ONOS node running Atomix v3.1.5. No authentication is mentioned as required for this attack [1]. The attacker can exploit this by sending specially crafted link event messages that trigger a denial of service condition in the target node.

Impact

Successful exploitation results in a denial of service (DoS) condition, causing the master ONOS node to become unavailable [1]. This can disrupt the operation of the distributed system relying on Atomix and ONOS for network control and management, impacting availability.

Mitigation

Not yet disclosed in the available references [1][2]. As of the publication date (2021-12-16), no patch or fixed version information is provided in the referenced advisories. Users should monitor the Atomix project repository and security updates for a fix [2].