CVE-2022-24035 – A vulnerability in ONOS 2.5.1's intent framewor... (How to Fix)

Q: What is the severity of CVE-2022-24035?

CVE-2022-24035 has a CVSS score of 7.5 (HIGH). A vulnerability in ONOS 2.5.1's intent framework causes purge-requested intents to remain active but unresponsive to topology changes like link failures. This can lead to network management failures when combined with other applications. Organizations using ONOS for software-defined networking are affected.

📋 TL;DR

A vulnerability in ONOS 2.5.1's intent framework causes purge-requested intents to remain active but unresponsive to topology changes like link failures. This can lead to network management failures when combined with other applications. Organizations using ONOS for software-defined networking are affected.

💻 Affected Systems

Products:

ONOS (Open Network Operating System)

Versions: 2.5.1 specifically mentioned; potentially other versions with similar intent framework issues

Operating Systems: Linux-based systems where ONOS is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Requires intent framework usage and combination with other applications to trigger the failure condition.

📦 What is this software?

Onos by Opennetworking

View all CVEs affecting Onos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Cascading network failures causing complete loss of network management and control plane functionality across the SDN infrastructure.

🟠

Likely Case

Degraded network performance, routing inconsistencies, and partial loss of network management capabilities.

🟢

If Mitigated

Minimal impact with proper monitoring and failover mechanisms in place.

🌐 Internet-Facing: LOW - ONOS is typically deployed in internal network management planes, not directly internet-facing.

🏢 Internal Only: HIGH - Directly impacts core network management infrastructure critical for internal operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions: purge-requested intents combined with topology changes and other applications. Academic research paper exists but no public exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions of ONOS (check ONOS project updates post-2.5.1)

Vendor Advisory: https://wiki.onosproject.org/display/ONOS/Security+Advisories

Restart Required: Yes

Instructions:

1. Check ONOS security advisories for specific patch version. 2. Backup current configuration. 3. Upgrade ONOS to patched version. 4. Restart ONOS services. 5. Verify intent framework functionality.

🔧 Temporary Workarounds

Manual Intent Cleanup

linux

Regularly monitor and manually remove stale purge-requested intents before topology changes occur

onos> intents
onos> remove-intent <intent-id>

Reduce Intent Timeout

linux

Configure shorter intent timeout values to automatically clean up stale intents faster

onos> cfg set org.onosproject.net.intent.IntentCleanupService purgeFrequency "30s"

🧯 If You Can't Patch

Implement aggressive monitoring of intent states and topology changes with automated alerts
Isolate ONOS controller from production traffic during maintenance windows when topology changes are planned

🔍 How to Verify

Check if Vulnerable:

Check ONOS version: onos> version. If version is 2.5.1 or other affected versions, test by creating intents, requesting purge, then simulating link failures to see if intents remain unresponsive.

Check Version:

onos> version

Verify Fix Applied:

After upgrade, repeat the test scenario: create intent, request purge, simulate link failure, verify intent properly responds or gets cleaned up.

📡 Detection & Monitoring

Log Indicators:

Intent purge requests without subsequent cleanup
Link failure events while purge-requested intents remain active
Network management application errors

Network Indicators:

Unexpected routing behavior
Increased network management protocol errors
Control plane inconsistencies

SIEM Query:

source="onos" AND ("purge-requested" OR "intent cleanup") AND ("link down" OR "topology change")

📊 Metadata

CVE ID: CVE-2022-24035

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: April 20, 2023

Last Updated: February 5, 2025

🔗 References

https://wiki.onosproject.org/display/ONOS/Intent+Framework Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory
https://wiki.onosproject.org/display/ONOS/Intent+Framework Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24035, you might also want to check these: