The OpenDaylight Project has implemented security response measures following the recent revelation that the Netdump vulnerability, which exposed the open source network controller to remote takeover, went unpatched for months. A technical steering committee vote for the creation of a security response team and other new security measures passed on Wednesday.
Earlier this week, SDNCentral was the first to report that OpenDaylight initially failed to take action on Netdump in August, when a security researcher attempted to notify the project about the vulnerability. After David Jorm of IIX rekindled the issue on the project’s open mailing list Monday, patches for Netdump were quickly merged with the controller software’s stable release.
To prevent future security issues from going unnoticed, a five-member security response team will now be tasked with taking action on reported vulnerabilities. The team, selected by OpenDaylight’s technical steering committee, will initially include Jorm; Chris Wright and Kurt Seifried of Red Hat; and Rob Varga and Ed Warnicke of Cisco.
The researcher who first discovered Netdump, Hellfire Security‘s Gregory Pickett, tells us that he discovered the vulnerability while reviewing the open-source codebase to learn more about software-defined neworking (SDN) this summer. But Pickett got no response to a notification submitted to OpenDaylight through a web form on the project’s contact page.
“This is a testament to why open source software works,” OpenDaylight Executive Director Neela Jacques says in a statement to SDNCentral. “Greg could see the code, saw there was an issue, and flagged it through the web form, which unfortunately was a dead link.”
As part of the security overhaul passed this week, OpenDaylight has added a security notification email to its contact page. The project will also create a security advisory page disclosing patched vulnerabilities.
“We feel fortunate that the security response process was tested this early on, so we know how to better respond in the future,” Jacques says.
“We want people to find and share bugs with us so we can tackle them immediately.”