OSA-2019-026: AAF Secret Management Service allows to access all stored data
Date: 2019-05-28
CVE: CVE-2019-12320
Severity: Important
Affects
AAF: before Dublin
Description
Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a vulnerability in ONAP AAF. By accessing port 30243, an unauthenticated attacker gains full access to the Secret Management Service and all stored data. All ONAP OOM setups are affected.
Patches
Warning
Above patch should be considered only as a temporary walkaround as it only prevents SMS from being exposed instead of fixing the issues.
Credits
Jakub Botwicz from Samsung
Wojciech Rauner from Samsung
Łukasz Wrochna from Samsung
Radosław Żeszczuk from Samsung