CVE-2019-12118
📋 TL;DR
This vulnerability allows unauthenticated attackers with access to pod-to-pod communication to execute arbitrary code on ONAP SDC pods via port 7001. All ONAP Operations Manager (OOM) setups are affected, enabling remote code execution within container environments.
💻 Affected Systems
- ONAP SDC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the SDC pod leading to lateral movement within the ONAP cluster, data exfiltration, and potential control over ONAP orchestration functions.
Likely Case
Attacker gains shell access to the vulnerable pod, enabling reconnaissance, credential harvesting, and persistence within the container environment.
If Mitigated
Limited impact if proper network segmentation and pod security policies prevent unauthorized pod-to-pod communication.
🎯 Exploit Status
Exploitation requires network access to port 7001 on the vulnerable pod, which is typically only available within the cluster network.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after Dublin release
Vendor Advisory: https://jira.onap.org/browse/OJSI-10
Restart Required: Yes
Instructions:
1. Upgrade ONAP SDC to a version after Dublin release. 2. Update all affected pods in the ONAP deployment. 3. Verify pod security policies are properly configured.
🔧 Temporary Workarounds
Network Policy Restriction
linuxImplement Kubernetes Network Policies to restrict pod-to-pod communication to only necessary services
kubectl apply -f network-policy.yaml
Port Blocking
linuxBlock access to port 7001 on demo-sdc-sdc-wfd-be pods using firewall rules or service mesh policies
iptables -A INPUT -p tcp --dport 7001 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate pod communication
- Deploy runtime protection and container security monitoring
🔍 How to Verify
Check if Vulnerable:
Check if demo-sdc-sdc-wfd-be pods are listening on port 7001 and accessible from other pods: kubectl exec <pod> -- netstat -tlnp | grep 7001Check Version:
kubectl describe pod <pod-name> | grep ImageVerify Fix Applied:
Verify port 7001 is no longer exposed or requires authentication: kubectl exec <pod> -- curl -v http://localhost:7001📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to port 7001
- Unusual process execution in SDC pods
- Authentication bypass attempts
Network Indicators:
- Traffic to port 7001 from unauthorized pods
- Unusual outbound connections from SDC pods
SIEM Query:
source_port=7001 OR dest_port=7001 AND (container_name="*sdc*" OR pod_name="*demo-sdc*")