CVE-2019-12132
📋 TL;DR
CVE-2019-12132 is a critical command injection vulnerability in ONAP SDNC that allows unauthenticated attackers to execute arbitrary commands on affected systems by crafting a malicious filename parameter in the sla/dgUpload endpoint. All ONAP SDNC setups that include the admportal component are vulnerable. This affects versions before the Dublin release.
💻 Affected Systems
- ONAP SDNC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution leading to unauthorized access, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, authentication controls, and input validation are implemented.
🎯 Exploit Status
The vulnerability is straightforward to exploit with publicly available proof-of-concept code. No authentication is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Dublin release and later
Vendor Advisory: https://jira.onap.org/browse/OJSI-41
Restart Required: Yes
Instructions:
1. Upgrade ONAP SDNC to Dublin release or later. 2. Apply any available security patches. 3. Restart the SDNC service. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock or disable access to the sla/dgUpload endpoint
# Configure web server or application firewall to block /sla/dgUpload
Network segmentation
allRestrict network access to SDNC admportal component
# Use firewall rules to restrict access to SDNC ports
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the SDNC admportal
- Deploy a web application firewall with command injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if ONAP SDNC version is pre-Dublin and admportal component is enabled. Review application logs for sla/dgUpload requests with unusual filenames.Check Version:
# Check ONAP version details in deployment configuration or via administrative interfacesVerify Fix Applied:
Verify ONAP SDNC version is Dublin or later. Test that sla/dgUpload endpoint properly validates filename parameters and rejects command injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual sla/dgUpload requests with special characters in filename parameter
- Command execution patterns in system logs following sla/dgUpload requests
Network Indicators:
- HTTP POST requests to /sla/dgUpload with suspicious filename parameters
- Outbound connections from SDNC to unexpected destinations
SIEM Query:
source="sdnc" AND (uri_path="/sla/dgUpload" AND filename="*;*" OR filename="*|*" OR filename="*`*" OR filename="*$(*" OR filename="*&*" OR filename="*>*" OR filename="*<*")