CVE-2019-12116
📋 TL;DR
CVE-2019-12116 allows unauthenticated attackers with pod-to-pod network access to execute arbitrary code on ONAP SDC frontend pods via port 6000. All ONAP Operations Manager (OOM) deployments through the Dublin release are affected, enabling remote code execution within Kubernetes pods.
💻 Affected Systems
- ONAP SDC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the SDC frontend pod leading to lateral movement within the ONAP cluster, data exfiltration, and potential control over ONAP orchestration functions.
Likely Case
Attacker gains shell access to the vulnerable pod, can install persistence mechanisms, and access sensitive configuration data within that container.
If Mitigated
With proper network segmentation and pod security policies, impact is limited to the compromised pod only, preventing lateral movement.
🎯 Exploit Status
Exploitation requires network access to port 6000 on the vulnerable pod, which is typically only available within the Kubernetes cluster.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after Dublin release
Vendor Advisory: https://jira.onap.org/browse/OJSI-10
Restart Required: Yes
Instructions:
1. Upgrade ONAP SDC to a version after Dublin release. 2. Update all affected pods in the Kubernetes deployment. 3. Verify the fix by checking that port 6000 is no longer exposed or properly secured.
🔧 Temporary Workarounds
Network Policy Restriction
linuxApply Kubernetes Network Policies to restrict access to port 6000 on demo-sdc-sdc-fe pods
kubectl apply -f network-policy.yaml
Service Mesh Implementation
linuxImplement service mesh (like Istio) to enforce mutual TLS and strict pod-to-pod communication policies
🧯 If You Can't Patch
- Implement strict Kubernetes Network Policies to isolate demo-sdc-sdc-fe pods from untrusted network segments
- Deploy a web application firewall (WAF) or API gateway in front of the vulnerable service to filter malicious traffic
🔍 How to Verify
Check if Vulnerable:
Check if port 6000 is exposed on demo-sdc-sdc-fe pods: kubectl get pods -l app=demo-sdc-sdc-fe -o jsonpath='{.items[*].spec.containers[*].ports[*].containerPort}' | grep 6000Check Version:
kubectl describe pod <demo-sdc-sdc-fe-pod> | grep ImageVerify Fix Applied:
Verify port 6000 is no longer exposed or is properly secured with authentication: kubectl exec <pod-name> -- netstat -tlnp | grep 6000📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from network connections on port 6000
- Shell commands from unexpected sources in container logs
Network Indicators:
- Unexpected connections to port 6000 on demo-sdc-sdc-fe pods
- Traffic patterns suggesting code execution attempts
SIEM Query:
source="k8s-container-logs" pod_name="demo-sdc-sdc-fe-*" (port=6000 OR "exec" OR "shell")