From a370f0b1dc257ad498d91480032bd2c9090acb7f Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 30 May 2019 15:25:46 +0200 Subject: Document OJSI-15 (CVE-2019-12317) vulnerability Issue-ID: OJSI-15 Signed-off-by: Krzysztof Opasiak Change-Id: I5cb96956f25e09a390ef24a52f6222c0cc7b9e94 --- docs/release-notes.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 457819bc..4f954692 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -35,6 +35,8 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l *Fixed Security Issues* *Known Security Issues* + + * CVE-2019-12317 - Number of XSS vulnerabilities in Portal [`OJSI-15 `_] * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 `_] * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 `_] * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 `_] -- cgit 1.2.3-korg From af68d030bd7f66b680c2b44cd60a19a35aaf9223 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 30 May 2019 15:26:40 +0200 Subject: Document OJSI-65 (CVE-2019-1212) vulnerability Issue-ID: OJSI-65 Signed-off-by: Krzysztof Opasiak Change-Id: I5c3bee06c2b1da3eca2bb583c57decb35b0f32c0 --- docs/release-notes.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 4f954692..fbaf675e 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -37,6 +37,7 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l *Known Security Issues* * CVE-2019-12317 - Number of XSS vulnerabilities in Portal [`OJSI-15 `_] + * CVE-2019-12122 - ONAP Portal allows to retrieve password of currently active user [`OJSI-65 `_] * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 `_] * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 `_] * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 `_] -- cgit 1.2.3-korg From fc4442976411f28a214898a3261e698c48dda31d Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 30 May 2019 15:27:27 +0200 Subject: Document OJSI-92 (CVE-2019-12121) vulnerability Issue-ID: OJSI-92 Signed-off-by: Krzysztof Opasiak Change-Id: Idad22deafb262da539c52fa8733e7ea098fd1361 --- docs/release-notes.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index fbaf675e..871c7d5b 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -38,6 +38,7 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l * CVE-2019-12317 - Number of XSS vulnerabilities in Portal [`OJSI-15 `_] * CVE-2019-12122 - ONAP Portal allows to retrieve password of currently active user [`OJSI-65 `_] + * CVE-2019-12121 - ONAP Portal is vulnerable for Padding Oracle attack [`OJSI-92 `_] * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 `_] * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 `_] * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 `_] -- cgit 1.2.3-korg From e93abc707191be45c18175c73904796df31b2654 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 30 May 2019 15:28:06 +0200 Subject: Document OJSI-174 (CVE-2019-12318) vulnerability Issue-ID: OJSI-174 Signed-off-by: Krzysztof Opasiak Change-Id: I47249407ccb62ca7ffd1d8edc9ada8793f4c53c9 --- docs/release-notes.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 871c7d5b..0fdbe807 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -42,6 +42,7 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l * In defult deployment PORTAL (portal-app) exposes HTTP port 8989 outside of cluster. [`OJSI-97 `_] * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 `_] * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 `_] + * CVE-2019-12318 - Number of SQL Injections in Portal [`OJSI-174 `_] *Known Vulnerabilities in Used Modules* -- cgit 1.2.3-korg From 8514f4a449cf3b06b4f515b1c6754c82abbfc5b6 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Thu, 30 May 2019 15:29:12 +0200 Subject: Document OJSI-190 vulnerability Issue-ID: OJSI-190 Signed-off-by: Krzysztof Opasiak Change-Id: I1c586793b744a5807e7b1a7a1d416dfd43409ab0 --- docs/release-notes.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 0fdbe807..9502569a 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -43,6 +43,7 @@ We worked on SDK upgrade to integrate with AAF. We partially implemented multi-l * In defult deployment PORTAL (portal-app) exposes HTTP port 30215 outside of cluster. [`OJSI-105 `_] * In defult deployment PORTAL (portal-sdk) exposes HTTP port 30212 outside of cluster. [`OJSI-106 `_] * CVE-2019-12318 - Number of SQL Injections in Portal [`OJSI-174 `_] + * Portal stores users passwords encrypted instead of hashed [`OJSI-190 `_] *Known Vulnerabilities in Used Modules* -- cgit 1.2.3-korg