OSA-2019-026: AAF Secret Management Service allows to access all stored data

Date: 2019-05-28

CVE: CVE-2019-12320

Severity: Important

Affects

  • AAF: before Dublin

Description

Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a vulnerability in ONAP AAF. By accessing port 30243, an unauthenticated attacker gains full access to the Secret Management Service and all stored data. All ONAP OOM setups are affected.

Patches

Warning

Above patch should be considered only as a temporary walkaround as it only prevents SMS from being exposed instead of fixing the issues.

Credits

  • Jakub Botwicz from Samsung
  • Wojciech Rauner from Samsung
  • Łukasz Wrochna from Samsung
  • Radosław Żeszczuk from Samsung