Issue OSA for OJSI-206

Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I523feb8d6fe6964f7cb4a97f431c2b68fa056aa4

1 files changed, 42 insertions, 0 deletions

diff --git a/osa/OSA-2019-026.rst b/osa/OSA-2019-026.rst
new file mode 100644
index 0000000..45935c3
--- /dev/null
+++ b/osa/OSA-2019-026.rst
@@ -0,0 +1,42 @@
+============================================================================
+OSA-2019-026: AAF Secret Management Service allows to access all stored data
+============================================================================
+
+**Date:** 2019-05-28
+
+**CVE:** CVE-2019-12320
+
+**Severity:** Important
+
+Affects
+-------
+
+* AAF: before Dublin
+
+Description
+-----------
+
+Jakub Botwicz, Wojciech Rauner, Łukasz Wrochna and Radosław Żeszczuk from Samsung reported a vulnerability in ONAP AAF. By accessing port 30243, an unauthenticated attacker gains full access to the Secret Management Service and all stored data. All ONAP OOM setups are affected.
+
+Patches
+-------
+
+* `82717 <https://gerrit.onap.org/r/#/c/oom/+/82717/>`_
+
+**Warning**
+
+Above patch should be considered only as a temporary walkaround as it only prevents SMS from being exposed instead of fixing the issues.
+
+Credits
+-------
+
+* Jakub Botwicz from Samsung
+* Wojciech Rauner from Samsung
+* Łukasz Wrochna from Samsung
+* Radosław Żeszczuk from Samsung
+
+References
+----------
+
+* `OJSI-206 <https://jira.onap.org/browse/OJSI-206>`_
+* `CVE-2019-12320 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12320>`_