CVE-2019-12123
📋 TL;DR
This vulnerability allows authenticated users to execute arbitrary commands on ONAP SDNC systems by exploiting a command injection flaw in the sla/printAsXml endpoint. All SDC setups that include admportal are affected, potentially giving attackers full control over vulnerable systems.
💻 Affected Systems
- ONAP SDNC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with the privileges of the SDNC service, potentially leading to data theft, system destruction, or lateral movement within the network.
Likely Case
Authenticated attackers gaining remote code execution to install backdoors, exfiltrate sensitive data, or disrupt ONAP operations.
If Mitigated
Limited impact if proper network segmentation, authentication controls, and input validation are in place, though the vulnerability still exists.
🎯 Exploit Status
Requires authenticated access but exploitation is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Dublin release or later
Vendor Advisory: https://jira.onap.org/browse/OJSI-42
Restart Required: Yes
Instructions:
1. Upgrade ONAP SDNC to Dublin release or later. 2. Restart SDNC services. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allRemove or restrict access to the sla/printAsXml endpoint
# Configuration depends on specific deployment. Consult ONAP documentation for endpoint configuration.
Network segmentation
allRestrict network access to SDNC admportal to only trusted sources
# Use firewall rules to limit access to SDNC ports from authorized IPs only
🧯 If You Can't Patch
- Implement strict authentication and authorization controls for SDNC access
- Deploy web application firewall (WAF) with command injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check ONAP SDNC version. If pre-Dublin and includes admportal, assume vulnerable. Test endpoint with controlled payload if possible.Check Version:
# Check ONAP version through admin interface or configuration files specific to your deploymentVerify Fix Applied:
Verify ONAP SDNC version is Dublin or later. Test the sla/printAsXml endpoint with command injection attempts to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual commands executed via SDNC service
- Multiple failed authentication attempts followed by sla/printAsXml access
- Suspicious parameters in sla/printAsXml requests
Network Indicators:
- Unusual outbound connections from SDNC servers
- Command and control traffic patterns
SIEM Query:
source="sdnc" AND (uri="*sla/printAsXml*" AND (param="*;*" OR param="*|*" OR param="*`*"))