CVE-2019-12112
📋 TL;DR
CVE-2019-12112 is a critical command injection vulnerability in ONAP SDNC that allows unauthenticated attackers to execute arbitrary commands on affected systems by crafting a filename parameter in the sla/upload endpoint. All ONAP SDNC setups that include the admportal component are vulnerable. This affects versions before the Dublin release.
💻 Affected Systems
- ONAP SDNC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, service disruption, or deployment of persistent backdoors.
Likely Case
Remote code execution leading to unauthorized access, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and input validation are in place.
🎯 Exploit Status
The vulnerability is straightforward to exploit with publicly available proof-of-concept code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Dublin release or later
Vendor Advisory: https://jira.onap.org/browse/OJSI-199
Restart Required: Yes
Instructions:
1. Upgrade ONAP SDNC to Dublin release or later. 2. Apply all security patches for the Dublin release. 3. Restart SDNC services.
🔧 Temporary Workarounds
Disable admportal component
linuxRemove or disable the vulnerable admportal component if not required.
# Stop admportal service
systemctl stop admportal
# Disable from auto-start
systemctl disable admportal
Web Application Firewall rules
allImplement WAF rules to block malicious filename parameters in sla/upload requests.
# Example mod_security rule
SecRule REQUEST_URI "@contains sla/upload" "id:1001,phase:2,deny,msg:'CVE-2019-12112 Block'"
SecRule ARGS:filename "@rx [;|&$()]" "id:1002,phase:2,deny,msg:'Command injection attempt'"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SDNC from internet and critical systems
- Deploy web application firewall with rules to block command injection patterns in filename parameters
🔍 How to Verify
Check if Vulnerable:
Check if SDNC version is pre-Dublin and admportal component is enabled. Review application logs for sla/upload requests with unusual filename parameters.Check Version:
Check ONAP documentation or run: grep -r "version" /opt/onap/sdnc/ | grep -i sdncVerify Fix Applied:
Verify SDNC version is Dublin or later and test that sla/upload endpoint properly validates filename parameters.📡 Detection & Monitoring
Log Indicators:
- Unusual filename parameters in sla/upload requests
- Command execution patterns in application logs
- Multiple failed upload attempts with special characters
Network Indicators:
- HTTP POST requests to /sla/upload with shell metacharacters in parameters
- Outbound connections from SDNC to unexpected destinations
SIEM Query:
source="sdnc.logs" AND (uri="/sla/upload" AND (filename="*;*" OR filename="*|*" OR filename="*$(*"))