Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-92

ONAP Portal is vulnerable for Padding Oracle attack (CVE-2019-12121)

CloneClone+Clone++
    XMLWordPrintable

    Details

    • OJSI CVE:
      CVE-2019-12121
    • OJSI Grant Project Access:
      OJSI-PORTAL

      Description

      A call to ONAPPORTAL/processSingleSignOn with invalid UserId returns the
      exact java error if server was unable to decrypt provided cookie.
      This allows to easily decrypt any string encrypted using the same key.

      Impact description (draft)

      Title: ONAP Portal is vulnerable for Padding Oracle attack

      Reporter: Łukasz Wrochna and Wojciech Rauner from Samsung

      Products: Portal

      Affects: Dublin and earlier

      Description:

      Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            Assignee:
            talasila Manoop Talasila
            Reporter:
            l.wrochna Łukasz Wrochna
            OJSI Grant Person Access:
            Piotr Borelowski
            OJSI Grant Person2 Access:
            Jim Baker
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: