-
Story
-
Resolution: Done
-
Highest
-
None
-
None
We received at the SECCOM following e-mail:
"Hello.
To whom it may concern.
I was investigating a service where critical information has been leaked on the network for security monitoring, and I have confirmed data that seems to be critical information from your site.
When you access the following URL, a server log is returned.
In generally, I am afraid you already have a problem, as the logs should not be available to the public, but they contained access tokens, usernames, and passwords.
I have not been able to confirm how these data are being used, so it is possible that this is not a problem, but I have reported it to you just in case.
Sorry for my unfamiliarity with English.
Thank you,
kohei"
SECCOM initial analysis:
This log file is attached to this page:
https://wiki.onap.org/display/DW/SDNC+Component
When you go to that page, click on the 3 ellipses on the top right. Then select Attachments. You will see the file attached there - it is a test document and corresponding Log file for that activity. Tester tried to onboard Huawei L3VPN PNF to AAI and do downstream deployment and provisioning. Test document was created by Ramu N of Huawei. There is username, password, device, token and IP information in these files, such information shouldn’t be in public files.
Acceptance criteria:
Remove sensitive information such as username, password, device, token and IP.**