Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-206

Secret Management Service allows to access all stored data

CloneClone+Clone++
    XMLWordPrintable

    Details

    • Type: Task
    • Status: Public disclosure
    • Priority: Highest
    • Resolution: Done
    • Affects Version/s: Casablanca Maintenance Release, Casablanca
    • Fix Version/s: Dublin Release
    • OJSI CVE:
      CVE-2019-12320
    • OJSI Impact Description:
      Hide

      Impact description (draft)

      Title: AAF Secret Management Service allows to access all stored data

      Reporter: Jakub Botwicz,  Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung

      Products: AAF

      Affects: Casablanca and earlier

      Description:

      Jakub Botwicz,  Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a vulnerability in ONAP AAF. By accessing port 30243, an unauthenticated attacker gains full access to the Secret Management Service and all stored data. All ONAP OOM setups are affected.

      Note:

      Dublin release is not vulnerable for this attack because the aaf-sms is not exposed outside of the cluster but the code itself is still vulnerable.

       

      Show
      Impact description (draft) Title: AAF Secret Management Service allows to access all stored data Reporter: Jakub Botwicz,  Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung Products: AAF Affects: Casablanca and earlier Description: Jakub Botwicz,  Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a vulnerability in ONAP AAF. By accessing port 30243, an unauthenticated attacker gains full access to the Secret Management Service and all stored data. All ONAP OOM setups are affected. Note: Dublin release is not vulnerable for this attack because the aaf-sms is not exposed outside of the cluster but the code itself is still vulnerable.  
    • OJSI Grant Project Access:
      OJSI-AAF

      Description

      AAF Secret Management Service (SMS) is exposed outside of cluster and allows attacker
      to access all stored credentials without any authentication.

      http -v --verify=no https://<IP ADDR>:30243/v1/sms/domain/<DOMAIN>/secret/<SECRET>

        Attachments

          Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            Activity

              People

              Assignee:
              kirankamineni Kiran Kamineni
              Reporter:
              kopasiak Krzysztof Opasiak
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: