OSA-2019-009: HOLMES exposes JDWP outside of pod which allows for arbitrary code execution

Date: 2019-05-28

CVE: CVE-2019-12114

Severity: Critical

Affects

HOLMES: before Dublin

Description

Radosław Żeszczuk from Samsung reported vulnerability in HOLMES. By accessing port 9202 of dep-holmes-engine-mgmt pod an unauthenticated attacker who already has access to pod to pod communication may execute arbitrary code inside this pod. All OOM ONAP setups which includes HOLMES are affected.

Patches

87090

Credits

Radosław Żeszczuk from Samsung

References

Read the Docs v: kohn

Versions: latest; kohn; jakarta

Downloads: html

On Read the Docs: Project Home; Builds