CVE-2020-35215

Vulnerability

In Atomix v3.1.5, a flaw allows a malicious Atomix node to query distributed variable primitives that contain the entire primitive lists used by ONOS nodes to share important state information. The vulnerability resides in the distributed primitive implementation, which does not properly isolate or restrict access to the list of primitives held by other nodes [1].

Exploitation

An attacker with the ability to operate a node within the Atomix cluster can send a query for distributed variable primitives. No authentication or prior access to the specific primitives is required beyond membership in the cluster. By enumerating the primitives, the attacker can retrieve the full list of primitive identifiers and associated metadata maintained by ONOS nodes [1].

Impact

Successful exploitation results in unauthorized disclosure of sensitive information. The attacker gains knowledge of the entire set of distributed variable primitives, which ONOS relies on to coordinate critical state. This information leakage can aid further attacks by revealing the topology or state-sharing mechanisms of the distributed system [1].

Mitigation

As of the information provided in the available references, no patch or fixed version is mentioned for this issue. Users of Atomix v3.1.5 should monitor the official Atomix repository [2] for future updates and consider deploying network segmentation or node authentication mechanisms to limit the attack surface until a fix is released [1].