Topics

[OSA] Vulnerability in Holmes (CVE-2019-12114)


Krzysztof Opasiak
 

**Date:** 2019-05-28

**ID:** OSA-2019-009

**Title:** HOLMES exposes JDWP outside of pod which allows for arbitrary
code execution

**CVE:** CVE-2019-12114

**Severity:** Critical

Affects
-------

* HOLMES: before Dublin

Description
-----------

Radosław Żeszczuk from Samsung reported vulnerability in HOLMES. By
accessing port 9202 of dep-holmes-engine-mgmt pod an unauthenticated
attacker who already has access to pod to pod communication may execute
arbitrary code inside this pod. All OOM ONAP setups which includes
HOLMES are affected.

Patches
-------

* `87090 <https://gerrit.onap.org/r/#/c/holmes/engine-management/+/87090/>`_

Credits
-------

* Radosław Żeszczuk from Samsung

References
----------

* `OJSI-66 <https://jira.onap.org/browse/OJSI-66>`_
* `CVE-2019-12114
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12114>`_

--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics