CVE-2022-29604 – This vulnerability in ONOS (Open Network Operat... (How to Fix)

Q: What is the severity of CVE-2022-29604?

CVE-2022-29604 has a CVSS score of 9.8 (CRITICAL). This vulnerability in ONOS (Open Network Operating System) causes improper handling of case sensitivity in device IDs, leading to misleading CORRUPT state displays for intents with uppercase letters. This creates inconsistency between intent and flow rules, potentially causing network operators to misinterpret network state. It affects ONOS deployments where operators manage network intents.

📋 TL;DR

This vulnerability in ONOS (Open Network Operating System) causes improper handling of case sensitivity in device IDs, leading to misleading CORRUPT state displays for intents with uppercase letters. This creates inconsistency between intent and flow rules, potentially causing network operators to misinterpret network state. It affects ONOS deployments where operators manage network intents.

💻 Affected Systems

Products:

ONOS (Open Network Operating System)

Versions: 2.5.1 and potentially earlier versions

Operating Systems: Linux-based systems where ONOS is deployed

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all ONOS deployments using the intent framework with device IDs containing uppercase letters.

📦 What is this software?

Onos by Opennetworking

View all CVEs affecting Onos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Network operators could make incorrect decisions based on misleading CORRUPT state displays, potentially causing network misconfigurations, service disruptions, or security policy bypasses.

🟠

Likely Case

Operational confusion and potential misconfiguration of network intents due to inconsistent state reporting between the intent framework and actual flow rules.

🟢

If Mitigated

Operational inefficiency and potential minor configuration errors that can be corrected through manual verification.

🌐 Internet-Facing: LOW - ONOS is typically deployed in internal network management planes, not directly internet-facing.

🏢 Internal Only: HIGH - This affects core network management functionality that could impact entire network operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to ONOS and knowledge of the intent framework. The issue is triggered by normal operational actions with specific device ID formatting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ONOS 2.6.0 or later

Vendor Advisory: https://wiki.onosproject.org/display/ONOS/Security+Advisories

Restart Required: Yes

Instructions:

1. Backup current ONOS configuration. 2. Upgrade to ONOS 2.6.0 or later. 3. Restart ONOS services. 4. Verify intent framework functionality.

🔧 Temporary Workarounds

Device ID normalization

all

Enforce lowercase-only device IDs in all intent configurations

# Use lowercase device IDs in all ONOS intent configurations
# Example: deviceId:of:0000000000000001 instead of deviceId:OF:0000000000000001

Intent validation script

linux

Implement pre-deployment validation to detect uppercase letters in device IDs

#!/bin/bash
# Script to validate intent configurations
grep -i "deviceid" intent_config.json | grep -E '[A-Z]' && echo "WARNING: Uppercase detected in device ID"

🧯 If You Can't Patch

Implement strict device ID naming conventions (lowercase only) across all network devices
Add manual verification step for all intent deployments to cross-check intent state with actual flow rules

🔍 How to Verify

Check if Vulnerable:

Create an intent with a device ID containing uppercase letters and check if it shows CORRUPT state while flow rules are properly installed.

Check Version:

onos-version | grep "ONOS"

Verify Fix Applied:

After patching, test with uppercase device IDs - intents should show correct state (INSTALLED) rather than CORRUPT.

📡 Detection & Monitoring

Log Indicators:

Intent state transitions to CORRUPT for device IDs with uppercase letters
Mismatch logs between intent framework and flow rule installations

Network Indicators:

Inconsistent network behavior for intents with specific device ID patterns

SIEM Query:

source="onos" AND ("CORRUPT" OR "uppercase" OR "deviceId")

📊 Metadata

CVE ID: CVE-2022-29604

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-178

Published: April 20, 2023

Last Updated: February 5, 2025

🔗 References

https://wiki.onosproject.org/display/ONOS/Intent+Framework Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory
https://wiki.onosproject.org/display/ONOS/Intent+Framework Product
https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29604, you might also want to check these: