CVE-2022-29607 in ONOS
Summary
by MITRE • 04/20/2023
An issue was discovered in ONOS 2.5.1. Modification of an existing intent to have the same source and destination shows the INSTALLED state without any flow rule. Improper handling of such an intent is misleading to a network operator.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/23/2026
The vulnerability described in CVE-2022-29607 affects ONOS version 2.5.1, a software-defined networking controller platform that manages network intent-based applications. This issue represents a critical flaw in the intent processing and flow rule management system of the controller, where the system fails to properly handle cases where an intent is configured with identical source and destination points. The vulnerability stems from improper validation and state management logic within the intent processing pipeline, creating a scenario where the system incorrectly reports an intent as INSTALLED even when no actual flow rules are created or applied to the network infrastructure.
The technical flaw manifests when network operators attempt to create or modify intents that specify the same source and destination endpoints, which should logically result in no network traffic or flow rules being necessary. However, the ONOS controller incorrectly processes these malformed intents and transitions them to an INSTALLED state without generating the corresponding flow rules. This behavior violates fundamental principles of network intent processing and creates a misleading operational environment where administrators believe network policies have been successfully deployed while in reality no actual network modifications have occurred. The vulnerability operates at the application layer of the network control plane, specifically within the intent management subsystem that translates high-level network policies into low-level flow table entries.
The operational impact of this vulnerability is significant for network administrators and operators who rely on ONOS for managing their software-defined networks. The misleading INSTALLED state creates a false sense of security and operational correctness, potentially leading to incorrect network behavior assessments and delayed detection of actual connectivity issues. Network operators may waste considerable time troubleshooting network problems, believing that their intended network policies are properly installed when they are not. This issue directly violates the principle of least privilege and operational transparency that network management systems must maintain, as it creates a scenario where the system's reported state does not accurately reflect the actual network configuration. The vulnerability can be exploited by any user with access to modify intents within the ONOS system, making it particularly concerning for environments where multiple administrators have access to the controller interface.
The flaw aligns with CWE-252, which addresses "Unchecked Return Value" and improper error handling in security-critical systems. This vulnerability demonstrates how inadequate validation of input parameters and state transitions can create security and operational risks within network management systems. From an ATT&CK framework perspective, this issue could be categorized under T1547.001 for Registry Run Keys / Startup Folder, as it involves improper state management that could potentially be exploited to manipulate the controller's operational state. The vulnerability also relates to T1078.004 for Valid Accounts, as it could be exploited by malicious actors with legitimate access to create misleading network states that might be used to hide other security issues or facilitate further attacks. Organizations should implement immediate mitigations including enhanced input validation for intent creation, additional state verification checks, and comprehensive monitoring of intent state transitions to detect and prevent such misleading operational states from occurring in production environments.