CVE-2022-29605 in ONOSinfo

Summary

by MITRE • 04/20/2023

An issue was discovered in ONOS 2.5.1. IntentManager attempts to install the IPv6 flow rules of an intent into an OpenFlow 1.0 switch that does not support IPv6. Improper handling of the difference in capabilities of the intent and switch is misleading to a network operator.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/23/2026

The vulnerability identified as CVE-2022-29605 affects ONOS version 2.5.1 and stems from a critical mismatch in network protocol handling within the IntentManager component. This issue manifests when the system attempts to install IPv6 flow rules for network intents into OpenFlow 1.0 switches that lack native IPv6 support, creating a fundamental incompatibility between the intent specification and the underlying switch capabilities. The problem resides in the insufficient validation and capability negotiation processes that occur during intent deployment, where the system fails to properly assess whether the target switch infrastructure can accommodate the IPv6 flow requirements of the intent.

The technical flaw represents a protocol mismatch that directly violates the principles of proper network abstraction and capability-aware provisioning. According to CWE-1104, this vulnerability demonstrates poor handling of protocol incompatibilities, specifically in the area of network protocol support and feature negotiation. The IntentManager component lacks adequate checks to verify switch capabilities before attempting to install flow rules, resulting in a situation where IPv6-specific flow modifications are sent to switches that cannot process them correctly. This creates a misleading operational environment where network operators receive false assurances about their network configuration while the underlying infrastructure cannot properly execute the intended IPv6 connectivity policies.

The operational impact of this vulnerability extends beyond simple configuration errors to potentially compromise network security and management integrity. Network operators relying on ONOS for intent-based networking may experience unexpected behavior where IPv6 flow rules appear to be successfully installed but fail silently on OpenFlow 1.0 switches, leading to misconfigured network policies and potential security gaps. This issue directly impacts the ATT&CK technique T1078.004 related to valid accounts and T1566 related to phishing, as operators might be misled into believing their network is properly configured for IPv6 connectivity when in reality the switches are not handling IPv6 traffic correctly. The misleading nature of this vulnerability can cause cascading failures in network management and security policy enforcement, particularly in environments where IPv6 connectivity is essential for proper network operation.

Mitigation strategies should focus on implementing comprehensive capability validation before intent installation and establishing proper error handling for protocol mismatches. Organizations should ensure that all switches in their network are properly catalogued with their supported protocol capabilities, and that the IntentManager performs thorough compatibility checks before attempting to install flow rules. The system should be configured to either automatically downgrade IPv6 intents to IPv4 compatible rules when working with OpenFlow 1.0 switches or to generate explicit warnings when attempting to deploy incompatible intents. Additionally, implementing proper logging and monitoring for such mismatches will help operators identify and resolve configuration issues before they impact network operations. Regular network inventory updates and capability assessments should be part of routine maintenance procedures to prevent similar issues in future deployments.

Reservation

04/25/2022

Disclosure

04/20/2023

Moderation

accepted

CPE

ready

EPSS

0.00654

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!