Details
-
Task
-
Status: Public disclosure
-
High
-
Resolution: Done
-
Casablanca Maintenance Release, Dublin Release, Casablanca
-
CVE-2019-12121
-
OJSI-PORTAL
Description
A call to ONAPPORTAL/processSingleSignOn with invalid UserId returns the
exact java error if server was unable to decrypt provided cookie.
This allows to easily decrypt any string encrypted using the same key.
Impact description (draft)
Title: ONAP Portal is vulnerable for Padding Oracle attack
Reporter: Łukasz Wrochna and Wojciech Rauner from Samsung
Products: Portal
Affects: Dublin and earlier
Description:
Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.
Attachments
| # | Subject | Branch | Project | Status | CR | V |
|---|---|---|---|---|---|---|
| 88642,3 | Issue OSA for OJSI-92 | master | osa | Status: MERGED | +2 | +1 |
| 88689,1 | Don't give user the exact exception description | master | portal | Status: MERGED | +2 | +1 |
| 88893,1 | Document OJSI-92 (CVE-2019-12121) vulnerability | master | portal | Status: MERGED | +2 | +1 |
| 88906,1 | Document OJSI-92 (CVE-2019-12121) vulnerability | release-2.5.0 | portal | Status: MERGED | +2 | +1 |
| 96650,1 | Document fixed OJSI tickets | elalto | portal | Status: MERGED | +2 | +1 |
| 96808,1 | Document fixed OJSI tickets | master | portal | Status: MERGED | +2 | +1 |