CVE-2020-18683 – CVE-2020-18683 is an input validation vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-18683?

CVE-2020-18683 has a CVSS score of 9.8 (CRITICAL). CVE-2020-18683 is an input validation vulnerability in Floodlight SDN controller's StaticFlowEntryPusherResource.java that allows attackers to execute arbitrary code through undefined fields mishandling. This affects all Floodlight installations through version 1.2. Network administrators using Floodlight for software-defined networking are at risk.

📋 TL;DR

CVE-2020-18683 is an input validation vulnerability in Floodlight SDN controller's StaticFlowEntryPusherResource.java that allows attackers to execute arbitrary code through undefined fields mishandling. This affects all Floodlight installations through version 1.2. Network administrators using Floodlight for software-defined networking are at risk.

💻 Affected Systems

Products:

Floodlight SDN Controller

Versions: through 1.2

Operating Systems: All platforms running Floodlight

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The StaticFlowEntryPusherResource component is enabled by default.

📦 What is this software?

Floodlight by Atlassian

View all CVEs affecting Floodlight →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete compromise of the SDN controller, allowing attacker to manipulate network flows, intercept traffic, or pivot to other network segments.

🟠

Likely Case

Unauthenticated remote code execution resulting in SDN controller compromise and potential network manipulation.

🟢

If Mitigated

Limited impact if network segmentation isolates the controller and proper input validation is implemented.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a REST API endpoint that handles flow entries. Exploitation requires sending specially crafted JSON payloads to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.1 or later

Vendor Advisory: https://github.com/floodlight/floodlight

Restart Required: Yes

Instructions:

1. Download Floodlight version 1.2.1 or later from official repository. 2. Stop the Floodlight service. 3. Replace the existing installation with the patched version. 4. Restart the Floodlight service.

🔧 Temporary Workarounds

Disable StaticFlowEntryPusher REST API

all

Temporarily disable the vulnerable REST API endpoint until patching can be completed.

Edit floodlightdefault.properties and set net.floodlightcontroller.staticflowentry.web.StaticFlowEntryPusher.enable=false
Restart Floodlight service

Network Access Control

linux

Restrict network access to Floodlight REST API endpoints using firewall rules.

iptables -A INPUT -p tcp --dport 8080 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Floodlight controller from untrusted networks
Deploy web application firewall (WAF) rules to filter malicious JSON payloads targeting the StaticFlowEntryPusher endpoint

🔍 How to Verify

Check if Vulnerable:

Check Floodlight version: if version is 1.2 or earlier, the system is vulnerable. Test by sending a crafted JSON payload with undefined fields to /wm/staticflowentrypusher/json endpoint.

Check Version:

java -jar floodlight.jar --version or check the version in floodlight.properties

Verify Fix Applied:

Verify Floodlight version is 1.2.1 or later. Test that malformed JSON payloads with undefined fields are properly rejected by the StaticFlowEntryPusher endpoint.

📡 Detection & Monitoring

Log Indicators:

Unusual JSON parsing errors in Floodlight logs
Multiple failed attempts to access /wm/staticflowentrypusher/json endpoint
Unexpected process execution from Floodlight context

Network Indicators:

Unusual traffic patterns to Floodlight REST API port (default 8080)
Malformed JSON payloads sent to /wm/staticflowentrypusher/json

SIEM Query:

source="floodlight.log" AND ("StaticFlowEntryPusher" OR "undefined field" OR "JSON parsing error")

📊 Metadata

CVE ID: CVE-2020-18683

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: September 30, 2021

Last Updated: November 21, 2024

🔗 References

https://drive.google.com/open?id=15I75JBmFYB9rLm9ZvcFtjHy0e2a-9lyO Exploit,Third Party Advisory
https://drive.google.com/open?id=15I75JBmFYB9rLm9ZvcFtjHy0e2a-9lyO Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-18683, you might also want to check these: