CVE-2019-12121

Name of the Vulnerable Software and Affected Versions ONAP Portal versions through Dublin

Description An issue was detected in the ONAP Portal, where an attacker can execute a padding oracle attack using the ONAPPORTAL/processSingleSignOn UserId field to decrypt arbitrary information encrypted with the same symmetric key as UserId. All Portal setups are affected.

Recommendations For ONAP Portal versions through Dublin, consider disabling the ONAPPORTAL/processSingleSignOn endpoint or restricting access to the UserId field until a patch is available. As a temporary workaround, restrict the use of the symmetric key used for UserId encryption to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.