CVE-2021-38363 – This vulnerability in ONOS (Open Network Operat... (How to Fix)

Q: What is the severity of CVE-2021-38363?

CVE-2021-38363 has a CVSS score of 7.5 (HIGH). This vulnerability in ONOS (Open Network Operating System) allows memory exhaustion through orphaned intents that cannot be cleaned up. When an intent installation fails with an exception, it remains stuck in memory indefinitely, consuming resources. This affects ONOS deployments where intents are used for network configuration.

📋 TL;DR

This vulnerability in ONOS (Open Network Operating System) allows memory exhaustion through orphaned intents that cannot be cleaned up. When an intent installation fails with an exception, it remains stuck in memory indefinitely, consuming resources. This affects ONOS deployments where intents are used for network configuration.

💻 Affected Systems

Products:

ONOS (Open Network Operating System)

Versions: 2.5.1 specifically mentioned, likely affects other versions with similar code

Operating Systems: Linux-based systems where ONOS runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when intents fail to install due to exceptions during the installation process.

📦 What is this software?

Onos by Opennetworking

View all CVEs affecting Onos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service as memory fills with orphaned intents, causing ONOS controller to crash and disrupting all managed network services.

🟠

Likely Case

Gradual performance degradation and eventual service disruption as memory consumption increases over time.

🟢

If Mitigated

Controlled memory growth with monitoring and restart procedures, but still requires eventual remediation.

🌐 Internet-Facing: MEDIUM - ONOS controllers are typically internal network management systems but may have management interfaces exposed.

🏢 Internal Only: HIGH - This affects the core network controller functionality that manages internal network infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires ability to create intents that trigger exceptions

Exploitation requires network management access to create intents. The vulnerability is triggered by normal operations that fail unexpectedly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check ONOS release notes for versions after 2.5.1

Vendor Advisory: https://opennetworking.org/onos/

Restart Required: Yes

Instructions:

1. Check ONOS documentation for patched versions. 2. Backup current configuration. 3. Upgrade to patched version. 4. Restart ONOS service. 5. Verify intent functionality.

🔧 Temporary Workarounds

Monitor and manually clean intents

all

Regularly monitor intent status and manually remove stuck intents before memory exhaustion occurs

onos> intents
onos> remove-intent <intent-id>

Limit intent creation

all

Restrict who can create intents and implement validation to prevent problematic intent requests

🧯 If You Can't Patch

Implement aggressive memory monitoring with alerts for abnormal growth
Establish regular ONOS restart schedule to clear accumulated orphaned intents

🔍 How to Verify

Check if Vulnerable:

Check ONOS version: 'onos-version' command. Monitor memory usage and check for intents stuck in pending state.

Check Version:

onos-version

Verify Fix Applied:

After patching, test intent creation and deletion, monitor memory usage over time for abnormal growth.

📡 Detection & Monitoring

Log Indicators:

Repeated intent installation failures
Memory usage warnings
Intent cleanup process errors

Network Indicators:

Increased latency in network configuration changes
Unresponsive ONOS management interfaces

SIEM Query:

source="onos" AND ("intent failed" OR "memory high" OR "pendingMap")

📊 Metadata

CVE ID: CVE-2021-38363

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-755

Published: April 20, 2023

Last Updated: February 5, 2025

🔗 References

https://opennetworking.org/onos/ Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory
https://opennetworking.org/onos/ Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38363, you might also want to check these: