OSA-2019-016: ONAP Portal is vulnerable for Padding Oracle attack
Date: 2019-05-28
CVE: CVE-2019-12121
Severity: Important
Affects
Portal: Dublin and earlier
Description
Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.
Patches
Credits
Łukasz Wrochna from Samsung
Wojciech Rauner from Samsung