CVE-2019-12125 – CVE-2019-12125 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2019-12125?

CVE-2019-12125 has a CVSS score of 9.8 (CRITICAL). CVE-2019-12125 is an authentication bypass vulnerability in ONAP Logging services that allows unauthenticated attackers to gain full administrative access to affected ONAP services by connecting to specific ports. All ONAP Operations Manager (OOM) deployments through the Dublin release are affected, making this a critical infrastructure vulnerability.

📋 TL;DR

CVE-2019-12125 is an authentication bypass vulnerability in ONAP Logging services that allows unauthenticated attackers to gain full administrative access to affected ONAP services by connecting to specific ports. All ONAP Operations Manager (OOM) deployments through the Dublin release are affected, making this a critical infrastructure vulnerability.

💻 Affected Systems

Products:

ONAP (Open Network Automation Platform)
ONAP Operations Manager (OOM)

Versions: All versions through Dublin release

Operating Systems: Linux-based systems running ONAP

Default Config Vulnerable: ⚠️ Yes

Notes: All OOM setups are affected when using default configurations with the vulnerable ports exposed.

📦 What is this software?

Open Network Automation Platform by Onap

View all CVEs affecting Open Network Automation Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of ONAP infrastructure, allowing attackers to manipulate orchestration, access sensitive data, disrupt services, or pivot to other systems.

🟠

Likely Case

Unauthorized access to logging and monitoring systems, potential data exfiltration, and service disruption through configuration changes.

🟢

If Mitigated

Limited to attempted connection logs if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication via specific open ports.

🏢 Internal Only: HIGH - Even internally, this allows lateral movement and privilege escalation within the ONAP environment.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to vulnerable ports (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, 30271) with no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after Dublin release

Vendor Advisory: https://jira.onap.org/browse/OJSI-27

Restart Required: Yes

Instructions:

1. Upgrade ONAP to a version after Dublin release. 2. Apply security patches from ONAP security advisories. 3. Restart affected ONAP services after patching.

🔧 Temporary Workarounds

Network Access Control

linux

Block external access to vulnerable ports using firewall rules

iptables -A INPUT -p tcp --dport 30234 -j DROP
iptables -A INPUT -p tcp --dport 30290 -j DROP
iptables -A INPUT -p tcp --dport 32010 -j DROP
iptables -A INPUT -p tcp --dport 30270 -j DROP
iptables -A INPUT -p tcp --dport 30224 -j DROP
iptables -A INPUT -p tcp --dport 30281 -j DROP
iptables -A INPUT -p tcp --dport 30254 -j DROP
iptables -A INPUT -p tcp --dport 30285 -j DROP
iptables -A INPUT -p tcp --dport 30271 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate ONAP services from untrusted networks
Deploy intrusion detection systems to monitor for unauthorized access attempts to the vulnerable ports

🔍 How to Verify

Check if Vulnerable:

Check if ONAP services are listening on vulnerable ports: netstat -tulpn | grep -E ':30234|:30290|:32010|:30270|:30224|:30281|:30254|:30285|:30271'

Check Version:

Check ONAP release version in deployment configuration or via ONAP CLI

Verify Fix Applied:

Verify ports are no longer accessible without authentication and check ONAP version is post-Dublin

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to ONAP logging ports
Unexpected administrative actions from unauthenticated sources

Network Indicators:

Connection attempts to ports 30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, 30271 from unauthorized sources

SIEM Query:

source_port IN (30234, 30290, 32010, 30270, 30224, 30281, 30254, 30285, 30271) AND auth_status='failed'

📊 Metadata

CVE ID: CVE-2019-12125

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: March 19, 2020

Last Updated: November 21, 2024

🔗 References

https://jira.onap.org/browse/OJSI-27 Third Party Advisory
https://jira.onap.org/browse/OJSI-27 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12125, you might also want to check these: