**Date:** 2019-05-28 **ID:** OSA-2019-016
**Title:** ONAP Portal is vulnerable for Padding Oracle attack **CVE:** CVE-2019-12121 **Severity:** Important Affects ------- * Portal: Dublin and earlier Description ----------- Łukasz Wrochna and Wojciech Rauner from Samsung reported a vulnerability in Portal. By executing a padding oracle attack using ONAPPORTAL/processSingleSignOn UserId field an attacker is able do decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected. Patches ------- * `88689 <https://gerrit.onap.org/r/c/portal/+/88689>`_ Credits ------- * Łukasz Wrochna from Samsung * Wojciech Rauner from Samsung References ---------- * `OJSI-92 <https://jira.onap.org/browse/OJSI-92>`_ * `CVE-2019-12121 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12121>`_ -- Krzysztof Opasiak Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17272): https://lists.onap.org/g/onap-discuss/message/17272 Mute This Topic: https://lists.onap.org/mt/31822862/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
