OSA-2019-013: SDC exposes JDWP outside of pod which allows for arbitrary code execution

Date: 2019-05-28

CVE: CVE-2019-12118

Severity: Critical

Affects

  • SDC: Dublin and earlier

Description

Radosław Żeszczuk from Samsung reported vulnerability in SDC. By accessing port 7001 of demo-sdc-sdc-wfd-be pod an unauthenticated attacker who already has access to pod to pod communication may execute arbitrary code inside this pod. All OOM ONAP setups which includes SDC are affected.

Patches

Credits

  • Radosław Żeszczuk from Samsung

References