summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2019-05-28 15:12:22 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2019-05-28 21:07:32 +0200
commitbb0fdcc3aac8a193a7c191bb57979d5a535c7d7c (patch)
treeef99e13680c6e86e1800dfe31d7b653fc3e3af74
parent92806a527884328c9d4967bab2e5eb5677fa281a (diff)
Issue OSA for OJSI-206
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: I523feb8d6fe6964f7cb4a97f431c2b68fa056aa4
-rw-r--r--osa/OSA-2019-026.rst42
1 files changed, 42 insertions, 0 deletions
diff --git a/osa/OSA-2019-026.rst b/osa/OSA-2019-026.rst
new file mode 100644
index 0000000..45935c3
--- /dev/null
+++ b/osa/OSA-2019-026.rst
@@ -0,0 +1,42 @@
+============================================================================
+OSA-2019-026: AAF Secret Management Service allows to access all stored data
+============================================================================
+
+**Date:** 2019-05-28
+
+**CVE:** CVE-2019-12320
+
+**Severity:** Important
+
+Affects
+-------
+
+* AAF: before Dublin
+
+Description
+-----------
+
+Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a vulnerability in ONAP AAF. By accessing port 30243, an unauthenticated attacker gains full access to the Secret Management Service and all stored data. All ONAP OOM setups are affected.
+
+Patches
+-------
+
+* `82717 <https://gerrit.onap.org/r/#/c/oom/+/82717/>`_
+
+**Warning**
+
+Above patch should be considered only as a temporary walkaround as it only prevents SMS from being exposed instead of fixing the issues.
+
+Credits
+-------
+
+* Jakub Botwicz from Samsung
+* Wojciech Rauner from Samsung
+* Łukasz Wrochna from Samsung
+* Radosław Żeszczuk from Samsung
+
+References
+----------
+
+* `OJSI-206 <https://jira.onap.org/browse/OJSI-206>`_
+* `CVE-2019-12320 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12320>`_