Topics

[OSA] Vulnerability in ONAP SDC (CVE-2019-12118)

Krzysztof Opasiak
 

**Date:** 2019-05-28

**ID:** OSA-2019-013

**Title:** SDC exposes JDWP outside of pod which allows for arbitrary
code execution

**CVE:** CVE-2019-12118

**Severity:** Critical

Affects
-------

* SDC: Dublin and earlier

Description
-----------

Radosław Żeszczuk from Samsung reported vulnerability in SDC. By
accessing port 7001 of demo-sdc-sdc-wfd-be pod an unauthenticated
attacker who already has access to pod to pod communication may execute
arbitrary code inside this pod. All OOM ONAP setups which includes SDC
are affected.

Patches
-------

No patch for this vulnerability has been proposed yet.

Credits
-------

* Radosław Żeszczuk from Samsung

References
----------

* `OJSI-79 <https://jira.onap.org/browse/OJSI-79>`_
* `CVE-2019-12118
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12118>`_

--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics