onap-dcaegen2-services-son-handler

com.fasterxml.jackson.core : jackson-databind : 2.9.6

The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.
Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995).  If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
Workaround: Do not use the default typing. Instead you will need to implement your own.

It is also possible to customize global defaulting, using ObjectMapper.setDefaultTyping(…) – you just have to implement your own TypeResolverBuilder (which is not very difficult); and by doing so, can actually configure all aspects of type information. Builder itself is just a short-cut for building actual handlers.

Remove this dependency if workaround exist; if not upgrade to 2.9.8
 

https://lf-onap.atlassian.net/browse/DCAEGEN2-1275#icft=DCAEGEN2-1275 - dcaegen2/services/son-handler security vulnerabilities Open

onap-dcaegen2-services-son-handler

com.fasterxml.jackson.datatype : jackson-datatype-jsr310 : 2.9.6

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Remove this dependency if workaround exist; if not upgrade to 2.9.8

https://lf-onap.atlassian.net/browse/DCAEGEN2-1275#icft=DCAEGEN2-1275 - dcaegen2/services/son-handler security vulnerabilities Open

onap-dcaegen2-services-son-handler

 org.codehaus.jackson : jackson-mapper-asl : 1.9.13

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.Explanation{{jackson-databind}} is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

No non-vulnerable version available. Request Exception

onap-dcaegen2-services-son-handler

org.postgresql : postgresql : 42.2.4

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.ExplanationThe postgresql package is vulnerable to Man-in-the-Middle (MitM) attacks.  When using a non-default SSL Factory, the postgresql jdbc doesn't validate the hostname of SSL certificates.  An attacker can potentially exploit this behavior to perform a MitM attack.

 Switch to 42.2.5

https://lf-onap.atlassian.net/browse/DCAEGEN2-1275#icft=DCAEGEN2-1275 - dcaegen2/services/son-handler security vulnerabilities Open

onap-dcaegen2-services-son-handler 

org.springframework : spring-web : 5.0.9.RELEASE

 Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.

Switch to 5.0.11.RELEASE

https://lf-onap.atlassian.net/browse/DCAEGEN2-1275#icft=DCAEGEN2-1275 - dcaegen2/services/son-handler security vulnerabilities Open

onap-dcaegen2-services-son-handler

 dom4j : dom4j : 1.6.1

 Description from CVEdom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.ExplanationThe dom4j package is vulnerable to XML Injection. The QName() function in the QName class file does not properly sanitize the QName input attribute value(s). A remote attacker can exploit this vulnerability by injecting an XML object that contains arbitrary code in the element and attribute names, hence leading to XML Injection.

No non-vulnerable version available. Request Exception

onap-dcaegen2-services-son-handler

org.springframework.data : spring-data-commons-core : 1.0.0.RELEASE

 Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

No non-vulnerable version available. Request