CVE-2017-1000411 [High] | Security Vulnerability in Opendaylight

OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, Boron, Robert Varga, Anil Vishnoi contain a flaw when multiple 'expired' flows take up the memory resource of CONFIG DATASTORE which leads to CONTROLLER shutdown. If multiple different flows with 'idle-timeout' and 'hard-timeout' are sent to the Openflow Plugin REST API, the expired flows will eventually crash the controller once its resource allocations set with the JVM size are exceeded. Although the installed flows (with timeout set) are removed from network (and thus also from controller's operations DS), the expired entries are still present in CONFIG DS. The attack can originate both from NORTH or SOUTH. The above description is for a north bound attack. A south bound attack can originate when an attacker attempts a flow flooding attack and since flows come with timeouts, the attack is not successful. However, the attacker will now be successful in CONTROLLER overflow attack (resource consumption). Although, the network (actual flow tables) and operational DS are only (~)1% occupied, the controller requests for resource consumption. This happens because the installed flows get removed from the network upon timeout.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.93%	1.60%	+0.67%
2	2025-03-30	1.04%	0.93%	-0.11%
3	2025-03-29	—	1.04%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.93%

1.60%

+0.67%

2025-03-30

1.04%

0.93%

-0.11%

2025-03-29

—

1.04%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.0	HIGH	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.0

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2017-1000411

vendor	priority	summary	link
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2017-1000411

vendor

priority

summary

link

redhat

medium

—

https://access.redhat.com/security/cve/CVE-2017-1000411

Affected software / configurations for CVE-2017-1000411

Vendor	Product	Version	Raw CPE
opendaylight	opendaylight	boron	cpe:2.3:a:opendaylight:opendaylight:boron:::::::*
opendaylight	opendaylight	carbon	cpe:2.3:a:opendaylight:opendaylight:carbon:::::::*
opendaylight	opendaylight	nitrogen	cpe:2.3:a:opendaylight:opendaylight:nitrogen:::::::*
opendaylight	openflow	boron	cpe:2.3:a:opendaylight:openflow:boron:::::opendaylight::
opendaylight	openflow	carbon	cpe:2.3:a:opendaylight:openflow:carbon:::::opendaylight::
opendaylight	openflow	nitrogen	cpe:2.3:a:opendaylight:openflow:nitrogen:::::opendaylight::

References for CVE-2017-1000411

URL	Tags
http://seclists.org/oss-sec/2018/q1/52	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/102736	Third Party Advisory VDB Entry

URL

CVE-2017-1000411

Exploit prediction scoring system (EPSS) score for CVE-2017-1000411

Common vulnerability scoring system (CVSS) metrics for CVE-2017-1000411

Weakness enumeration for CVE-2017-1000411

OS Trackers for CVE-2017-1000411

Affected software / configurations for CVE-2017-1000411

References for CVE-2017-1000411