Issue OSA for OJSI-92

Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com> Change-Id: Ia06e9d689e2aa2cf25390a8fbb745dd2c076db97
author: Krzysztof Opasiak <k.opasiak@samsung.com> 2019-05-28 15:09:52 +0200
committer: Krzysztof Opasiak <k.opasiak@samsung.com> 2019-05-28 21:07:32 +0200
commit: 4b20ce5a564559637ad14dfa9ffcfeda1ad63c73 (patch)
tree: ad2e39420e4284f38c83b150b48edc31e3e978f1
parent: 24c4ea20a4ba41ca6a8b4cb546471cd545f1d436 (diff)
1 files changed, 36 insertions, 0 deletions
diff --git a/osa/OSA-2019-016.rst b/osa/OSA-2019-016.rst
new file mode 100644
index 0000000..2b457bd
--- /dev/null
+++ b/osa/OSA-2019-016.rst
@@ -0,0 +1,36 @@
+=================================================================
+OSA-2019-016: ONAP Portal is vulnerable for Padding Oracle attack
+=================================================================
+
+**Date:** 2019-05-28
+
+**CVE:** CVE-2019-12121
+
+**Severity:** Important
+
+Affects
+-------
+
+* Portal: Dublin and earlier
+
+Description
+-----------
+
+Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.
+
+Patches
+-------
+
+* `88689 <https://gerrit.onap.org/r/c/portal/+/88689>`_
+
+Credits
+-------
+
+* Łukasz Wrochna from Samsung
+* Wojciech Rauner from Samsung
+
+References
+----------
+
+* `OJSI-92 <https://jira.onap.org/browse/OJSI-92>`_
+* `CVE-2019-12121 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12121>`_
author	Krzysztof Opasiak <k.opasiak@samsung.com>	2019-05-28 15:09:52 +0200
committer	Krzysztof Opasiak <k.opasiak@samsung.com>	2019-05-28 21:07:32 +0200
commit	4b20ce5a564559637ad14dfa9ffcfeda1ad63c73 (patch)
tree	ad2e39420e4284f38c83b150b48edc31e3e978f1
parent	24c4ea20a4ba41ca6a8b4cb546471cd545f1d436 (diff)