Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-92

ONAP Portal is vulnerable for Padding Oracle attack (CVE-2019-12121)

CloneClone+Clone++
    XMLWordPrintable

Details

    • CVE-2019-12121
    • OJSI-PORTAL

    Description

      A call to ONAPPORTAL/processSingleSignOn with invalid UserId returns the
      exact java error if server was unable to decrypt provided cookie.
      This allows to easily decrypt any string encrypted using the same key.

      Impact description (draft)

      Title: ONAP Portal is vulnerable for Padding Oracle attack

      Reporter: Łukasz Wrochna and Wojciech Rauner from Samsung

      Products: Portal

      Affects: Dublin and earlier

      Description:

      Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            talasila Manoop Talasila
            l.wrochna Łukasz Wrochna
            Piotr Borelowski Piotr Borelowski
            Jim Baker Jim Baker
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: