Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-63

APPC exposes Jolokia Interface which allows to read and overwrite any arbitrary file (CVE-2019-12124)

CloneClone+Clone++
    XMLWordPrintable

Details

    • CVE-2019-12124
    • Hide

      Title: APPC exposes Jolokia interface which allows to read and overwrite an arbitrary file

      Reporter: Radosław Żeszczuk from Samsung

      Products: APPC

      Affects: Casablanca and earlier

      Description:

      Radosław Żeszczuk from Samsung  reported a vulnerability in APPC. By using exposed unprotected Jolokia interface an unauthenticated attacker can read or overwrite arbitrary file. All APPC setups are affected.

      Note:

      Dublin release is not vulnerable for this attack because the Jolokia interface is protected with basic HTTP authentication. Unfortunately in default weak credentials are used which can be considered to be a security risk.

      Show
      Title: APPC exposes Jolokia interface which allows to read and overwrite an arbitrary file Reporter: Radosław Żeszczuk from Samsung Products: APPC Affects: Casablanca and earlier Description: Radosław Żeszczuk from Samsung  reported a vulnerability in APPC. By using exposed unprotected Jolokia interface an unauthenticated attacker can read or overwrite arbitrary file. All APPC setups are affected. Note: Dublin release is not vulnerable for this attack because the Jolokia interface is protected with basic HTTP authentication. Unfortunately in default weak credentials are used which can be considered to be a security risk.
    • OJSI-APPC

    Description

      Description in epic OJSI-62

       

      Attachments

        Issue Links

          # Subject Branch Project Status CR V

          Activity

            People

              Takamune_Cho Takamune Cho
              r.z . .
              Takamune Cho Takamune Cho
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: