OSA-2019-016: ONAP Portal is vulnerable for Padding Oracle attack

Date: 2019-05-28

CVE: CVE-2019-12121

Severity: Important

Affects

Portal: Dublin and earlier

Description

Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.

Patches

88689

Credits

Łukasz Wrochna from Samsung
Wojciech Rauner from Samsung

References

Read the Docs v: kohn

Versions: latest; kohn; jakarta

Downloads: html

On Read the Docs: Project Home; Builds