A call to ONAPPORTAL/processSingleSignOn with invalid UserId returns the
exact java error if server was unable to decrypt provided cookie.
This allows to easily decrypt any string encrypted using the same key.
Title: ONAP Portal is vulnerable for Padding Oracle attack
Reporter: Łukasz Wrochna and Wojciech Rauner from Samsung
Affects: Dublin and earlier
Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.