[OJSI-79] demo-sdc-sdc-wfd-be exposes JDWP on port 7001 which allows for arbitrary code execution (CVE-2019-12118) - ONAP JIRA

Clone

Clone+

Clone++

XML

Word

Printable

Details

Type: Task
Status: Public disclosure
Priority: High
Resolution: Done
Affects Version/s: None
Fix Version/s: El Alto Release
Labels:
- CVE_ASSIGNED
- PENTEST032019

OJSI CVE:
CVE-2019-12118
OJSI Grant Project Access:
OJSI-SDC
Epic Link:
JDWP exposure

Description

Impact description (draft)

Title: SDC exposes JDWP outside of pod which allows for arbitrary code execution

Reporter: Radosław Żeszczuk from Samsung

Products: SDC

Affects: Dublin and earlier

Description:

Radosław Żeszczuk from Samsung reported vulnerability in SDC. By accessing port 7001 of demo-sdc-sdc-wfd-be pod an unauthenticated attacker who already has access to pod to pod communication may execute arbitrary code inside those pods. All OOM ONAP setups which includes SDC are affected.

Attachments

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Robert Bogacki

Reporter:: . .

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15/Apr/19 5:31 PM

Updated:: 05/Oct/19 10:18 PM