Vendor

Opendaylight

Products

CVEs

Across products

Status

Private

Products

Opendaylight
7 CVEs
Openflow
2 CVEs
Defense4all
1 CVE
Karaf
1 CVE
L2switch
1 CVE

Recent CVEs

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2015-1778	Cri	0.64	9.8	0.03	Jun 27, 2017	The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination.
CVE-2014-8149	Hig	0.57	8.8	0.01	Jun 27, 2017	OpenDaylight defense4all 1.1.0 and earlier allows remote authenticated users to write report data to arbitrary files.
CVE-2017-1000406	Hig	0.49	7.5	0.00	Nov 30, 2017	OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).
CVE-2017-1000361	Hig	0.49	7.5	0.00	Apr 24, 2017	DOMRpcImplementationNotAvailableException when sending Port-Status packets to OpenDaylight. Controller launches exceptions and consumes more CPU resources. Component: OpenDaylight is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.
CVE-2017-1000357	Hig	0.49	7.5	0.00	Apr 24, 2017	Denial of Service attack when the switch rejects to receive packets from the controller. Component: This vulnerability affects OpenDaylight odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. Version: OpenDaylight versions 3.3 (Lithium-SR3), 3.4 (Lithium-SR4), 4.0 (Beryllium), 4.1 (Beryllium-SR1), 4.2 (Beryllium-SR2), and 4.4 (Beryllium-SR4) are affected by this flaw. Java version is openjdk version 1.8.0_91.
CVE-2015-1612	Hig	0.49	7.5	0.01	Apr 4, 2017	OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to the reuse of LLDP packets, aka "LLDP Relay."
CVE-2015-1611	Hig	0.49	7.5	0.01	Apr 4, 2017	OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to "fake LLDP injection."
CVE-2017-1000360	Med	0.34	5.3	0.00	Apr 24, 2017	StreamCorruptedException and NullPointerException in OpenDaylight odl-mdsal-xsql. Controller launches exceptions in the console. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.
CVE-2017-1000359	Med	0.34	5.3	0.00	Apr 24, 2017	Java out of memory error and significant increase in resource consumption. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.
CVE-2015-1610	Med	0.34	5.3	0.00	Mar 20, 2017	hosttracker in OpenDaylight l2switch allows remote attackers to change the host location information by spoofing the MAC address, aka "topology spoofing."
CVE-2018-1078		0.00	—	0.00	Mar 16, 2018	OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired.
CVE-2014-5035		0.00	—	0.01	Aug 26, 2014	The Netconf (TCP) service in OpenDaylight 1.0 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference in an XML-RPC message, related to an XML External Entity (XXE) issue.

CVE-2015-1778CriJun 27, 2017
risk 0.64cvss 9.8epss 0.03
The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination.
CVE-2014-8149HigJun 27, 2017
risk 0.57cvss 8.8epss 0.01
OpenDaylight defense4all 1.1.0 and earlier allows remote authenticated users to write report data to arbitrary files.
CVE-2017-1000406HigNov 30, 2017
risk 0.49cvss 7.5epss 0.00
OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared (e.g. via restart).
CVE-2017-1000361HigApr 24, 2017
risk 0.49cvss 7.5epss 0.00
DOMRpcImplementationNotAvailableException when sending Port-Status packets to OpenDaylight. Controller launches exceptions and consumes more CPU resources. Component: OpenDaylight is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.
CVE-2017-1000357HigApr 24, 2017
risk 0.49cvss 7.5epss 0.00
Denial of Service attack when the switch rejects to receive packets from the controller. Component: This vulnerability affects OpenDaylight odl-l2switch-switch, which is the feature responsible for the OpenFlow communication. Version: OpenDaylight versions 3.3 (Lithium-SR3), 3.4 (Lithium-SR4), 4.0 (Beryllium), 4.1 (Beryllium-SR1), 4.2 (Beryllium-SR2), and 4.4 (Beryllium-SR4) are affected by this flaw. Java version is openjdk version 1.8.0_91.
CVE-2015-1612HigApr 4, 2017
risk 0.49cvss 7.5epss 0.01
OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to the reuse of LLDP packets, aka "LLDP Relay."
CVE-2015-1611HigApr 4, 2017
risk 0.49cvss 7.5epss 0.01
OpenFlow plugin for OpenDaylight before Helium SR3 allows remote attackers to spoof the SDN topology and affect the flow of data, related to "fake LLDP injection."
CVE-2017-1000360MedApr 24, 2017
risk 0.34cvss 5.3epss 0.00
StreamCorruptedException and NullPointerException in OpenDaylight odl-mdsal-xsql. Controller launches exceptions in the console. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.
CVE-2017-1000359MedApr 24, 2017
risk 0.34cvss 5.3epss 0.00
Java out of memory error and significant increase in resource consumption. Component: OpenDaylight odl-mdsal-xsql is vulnerable to this flaw. Version: The tested versions are OpenDaylight 3.3 and 4.0.
CVE-2015-1610MedMar 20, 2017
risk 0.34cvss 5.3epss 0.00
hosttracker in OpenDaylight l2switch allows remote attackers to change the host location information by spoofing the MAC address, aka "topology spoofing."
CVE-2018-1078Mar 16, 2018
risk 0.00cvss —epss 0.00
OpenDayLight version Carbon SR3 and earlier contain a vulnerability during node reconciliation that can result in traffic flows that should be expired or should expire shortly being re-installed and their timers reset resulting in traffic being allowed that should be expired.
CVE-2014-5035Aug 26, 2014
risk 0.00cvss —epss 0.01
The Netconf (TCP) service in OpenDaylight 1.0 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference in an XML-RPC message, related to an XML External Entity (XXE) issue.