**Date:** 2019-05-28 **ID:** OSA-2019-007
**Title:** APPC exposes Jolokia interface which allows to read and overwrite an arbitrary file **CVE:** CVE-2019-12124 **Severity:** Critical Affects ------- * APPC: before Dublin Description ----------- Radosław Żeszczuk from Samsung reported a vulnerability in APPC. By using exposed unprotected Jolokia interface an unauthenticated attacker can read or overwrite arbitrary file. All APPC setups are affected. Patches ------- No exact patch provided by the maintainer. Issue fixed probably fixed with ODL upgrade. (Confirmed to not be present in Dublin) **Warning** Dublin release is not vulnerable for this attack because the Jolokia interface is protected with basic HTTP authentication. Unfortunately by default weak credentials are used which can be considered to be a security risk. Credits ------- * Radosław Żeszczuk from Samsung References ---------- * `OJSI-63 <https://jira.onap.org/browse/OJSI-63>`_ * `CVE-2019-12124 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12124>`_ -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17262): https://lists.onap.org/g/onap-discuss/message/17262 Mute This Topic: https://lists.onap.org/mt/31822420/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
