CVE-2022-29604 in ONOSinfo

Summary

by MITRE • 04/20/2023

An issue was discovered in ONOS 2.5.1. An intent with an uppercase letter in a device ID shows the CORRUPT state, which is misleading to a network operator. Improper handling of case sensitivity causes inconsistency between intent and flow rules in the network.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/23/2026

The vulnerability identified as CVE-2022-29604 affects ONOS version 2.5.1, a software-defined networking controller platform that manages network intents and flow rules. This issue stems from inadequate case sensitivity handling within the intent processing system, specifically when device IDs contain uppercase letters. The problem manifests when network operators create intents using device identifiers with mixed or uppercase characters, leading to an incorrect CORRUPT state designation in the intent management system. This misclassification creates operational confusion as network administrators receive misleading status information about their network configurations.

The technical flaw resides in the intent validation and processing logic where the system fails to normalize device ID case handling during intent creation and state management. When an intent references a device ID containing uppercase letters, the controller's internal state management mechanism incorrectly interprets this as a corruption or inconsistency issue rather than a legitimate device identifier. This case sensitivity mismatch causes a disconnect between the intent definition and the actual flow rules that should be applied to the network devices. The system's inability to properly handle case variations in device identifiers creates a fundamental inconsistency in the intent-flow rule synchronization process.

From an operational perspective, this vulnerability significantly impacts network management and troubleshooting activities. Network operators relying on ONOS for intent-based network control face misleading operational states that could lead to incorrect diagnosis of network issues. The CORRUPT state designation misleads administrators into believing their network intents are malformed or corrupted when the actual problem is simply case sensitivity handling. This inconsistency between intent state and flow rule application can result in network configuration drift where intended network behavior does not match the actual deployed flows, potentially causing service disruption or misconfigured network paths.

The vulnerability aligns with CWE-200, which addresses improper handling of case sensitivity in security contexts, and relates to ATT&CK technique T1566 for social engineering through misleading system states. Network operators may waste significant time investigating non-existent corruption issues while the real problem remains undetected. The improper state management also violates security best practices for robust system design and can be exploited by adversaries to create confusion during incident response or to mask other security issues. Organizations using ONOS should implement immediate workarounds such as enforcing lowercase device ID conventions or applying patches that normalize case sensitivity during intent processing, while also conducting thorough audits of existing intents to identify any potentially affected configurations.

Reservation

04/25/2022

Disclosure

04/20/2023

Moderation

accepted

CPE

ready

EPSS

0.01007

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!