Uploaded image for project: 'ONAP JIRA Security Issues'
  1. ONAP JIRA Security Issues
  2. OJSI-92

ONAP Portal is vulnerable for Padding Oracle attack (CVE-2019-12121)

    Details

    • OJSI CVE:
      CVE-2019-12121
    • OJSI Grant Project Access:
      OJSI-PORTAL

      Description

      A call to ONAPPORTAL/processSingleSignOn with invalid UserId returns the
      exact java error if server was unable to decrypt provided cookie.
      This allows to easily decrypt any string encrypted using the same key.

      Impact description (draft)

      Title: ONAP Portal is vulnerable for Padding Oracle attack

      Reporter: Łukasz Wrochna and Wojciech Rauner from Samsung

      Products: Portal

      Affects: Dublin and earlier

      Description:

      Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.

        Attachments

        # Subject Branch Project Status CR V

          Activity

            People

            • Assignee:
              talasila Manoop Talasila
              Reporter:
              l.wrochna Łukasz Wrochna
              OJSI Grant Person Access:
              Piotr Borelowski
              OJSI Grant Person2 Access:
              Jim Baker
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: