Done
Details
Assignee
Former userFormer user(Deactivated)Reporter
Former userFormer user(Deactivated)Labels
Time tracking
2h loggedSprint
NoneFix versions
Priority
High
Details
Details
Assignee
Former user
Former user(Deactivated)Reporter
Former user
Former user(Deactivated)Labels
Time tracking
2h logged
Sprint
None
Fix versions
Priority
High
Created April 3, 2019 at 6:13 PM
Updated July 10, 2019 at 8:03 PM
Resolved April 10, 2019 at 2:36 AM
Following vulnerabilities are identified in CLM scan.
1) Evaluation of the risk identified; if not impacted; provide justification on each on why the vulnerability wont apply
2) If impacted, try to upgrade/remove the dependencies if work around exist. Or upgrade netty/play/zookeeper version as recommended (last column)
If dependency cannot be removed for Dublin (ex: Jackson databind) and no non-vulnerable version available, please identify them and provide a plan on how this could be resolved in future.
onap-dcaegen2-services-bbs-event-processor
org.hibernate : hibernate-validator : 5.2.4.Final
Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
Upgrade to 5.3.6.Final
onap-dcaegen2-services-bbs-event-processor
com.fasterxml.jackson.core:jackson-databind:2.97
The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.
Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release.
onap-dcaegen2-services-bbs-event-processor
com.fasterxml.jackson.core:jackson-databind:2.97
jackson-databindis vulnerable to Remote Code Execution (RCE). ThevalidateSubType()function in theSubTypeValidatorclass allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.Workaround: Do not use the default typing. Instead you will need to implement your own.
Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release.
onap-dcaegen2-services-bbs-event-processor
com.fasterxml.jackson.core:jackson-databind:2.97
The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.
Workaround: Do not use the default typing. Instead you will need to implement your own.
Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release.
onap-dcaegen2-services-bbs-event-processor
com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.9.7
The FasterXML
jackson-datatype-jsr310package contains a Denial of Service (DoS) vulnerability. Thedeserialize()method in theDurationDeserializerclass and the_fromDecimal()method in theInstantDeserializerclass allow arbitrarily largeBigDecimalinitialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation.The application is vulnerable by using the
DurationDeserializerorInstantDeserializerclasses of this component to deserialize untrusted data.Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release.