CVE-2022-29606 in ONOSinfo

Summary

by MITRE • 04/20/2023

An issue was discovered in ONOS 2.5.1. An intent with a large port number shows the CORRUPT state, which is misleading to a network operator. Improper handling of such port numbers causes inconsistency between intent and flow rules in the network.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/23/2026

The vulnerability identified as CVE-2022-29606 affects ONOS version 2.5.1, a software-defined networking controller platform that manages network intent and flow rules across SDN environments. This flaw represents a critical inconsistency issue within the intent management system where the controller fails to properly process intent configurations containing excessively large port numbers, leading to misleading operational states that can compromise network management integrity. The vulnerability manifests when an intent is submitted with a port number exceeding the system's expected range, causing the intent to be marked with a CORRUPT state that misleads network operators about the actual operational condition of their network infrastructure.

The technical root cause of this vulnerability stems from inadequate input validation and error handling within the intent processing pipeline of the ONOS controller. When a port number exceeds the acceptable numerical bounds for the system's internal representation, the controller's state management logic fails to properly categorize or handle this exceptional condition. This improper handling results in the system marking the intent as CORRUPT rather than either rejecting the invalid configuration or properly processing it within acceptable parameters. The flaw operates at the intersection of software configuration management and network state consistency, where the controller's intent-to-flow rule translation mechanism breaks down when encountering out-of-range port specifications. This represents a classic case of insufficient boundary checking and exception handling that violates fundamental software security principles.

The operational impact of this vulnerability extends beyond simple misclassification of network state, creating significant risks for network operators who rely on accurate intent status reporting for network management and troubleshooting. When an intent displays as CORRUPT due to large port numbers, operators may incorrectly assume that network connectivity or flow rule configuration has failed, potentially leading to unnecessary troubleshooting efforts, false alarms, or misguided network modifications. The inconsistency between the intent state and actual flow rules creates a dangerous misalignment that can mask real network problems while presenting false positives, ultimately undermining operator confidence in the controller's reliability. This vulnerability particularly affects network administrators managing complex topologies with high port count configurations or those implementing extended port numbering schemes that exceed typical expectations.

Mitigation strategies for this vulnerability require immediate implementation of input validation controls within the ONOS intent processing framework to reject or properly handle port numbers exceeding defined operational boundaries. Network operators should implement configuration audits to identify existing intents with problematic port numbers and either correct them or remove them from active management. The controller should be updated to version 2.5.2 or later where this issue has been resolved through improved input sanitization and state management logic. Additionally, operators should establish monitoring procedures to detect and alert on unusual port number patterns in intent configurations, implementing automated validation checks that can prevent such malformed intents from entering the system. This vulnerability aligns with CWE-129 Input Validation and CWE-248 Uncaught Exception categories, and represents a potential ATT&CK technique related to Defense Evasion through misleading system state reporting, where operators are deceived into making incorrect operational decisions based on corrupted status information.

Reservation

04/25/2022

Disclosure

04/20/2023

Moderation

accepted

CPE

ready

EPSS

0.00987

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!