Versions Compared

Old Version 6

changes.mady.by.user Vijay Kumar

Saved on

compared with

New Version 7

changes.mady.by.user Vijay Kumar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.

It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.

In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.

The following table is addressing 2 different scenarios:

  • Confirmation of a vulnerability including an action
  • False Positive

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)

...

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.0-SNAPSHOT

...

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.

It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.

In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.


The following table is addressing 2 different scenarios:

  • Confirmation of a vulnerability including an action
  • False Positive

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)

:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-dmaap:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-it:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-model:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 

Vulnerable artifact:

Vulnerability report: incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

False Positive Classification Reasoning:

In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive467

RepositoryGroupImpact AnalysisAction
dcaegen2/analytics/tcacom.fasterxml.jackson.core

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-common:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-plugins:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-tca:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-common:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-dmaap:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-it:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-model:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-tca:jar:2.2.0-SNAPSHOT

Although the offending dependency appears in all above artifacts, it is only the direct dependent of "dcae-analytics-model". All other uses are transient dependencies through this artifact. Hence the analysis below applies to the "dcae-analytics-model" artifact.

Vulnerability report:

False Positive Classification Reasoning

There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-412

dcaegen2/analytics/tcacom.fasterxml.jackson.core

Vulnerable artifacts:

<same as jackson-databind 2.4.4 above>

False Positive Classification Reasoning

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-412

dcaegen2/platform/inventory-apicom.fasterxml.jackson.core

Vulnerable artifact:

False Positive Classification Reasoning

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-423


dcaegen2/collectors/ves com.fasterxml.jackson.core

Vulnerable artifact:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.48.11 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-plugins:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module collectors.ves:VESCollector:jar

Vulnerability report:

CVE-2017-7525 originally reports that the application is vulnerable by using this component, when default typing is enabled. More details about the vulnerability is provided by https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization.

False Positive Classification Reasoning:

The org.onap.dcaegen2.analyticscollectors.tca:dcae-analytics-cdap-tca:jar:2.2.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-common:jar:2.2.0-SNAPSHOT
Dependency comves:VESCollector code does not enable use of global type information, using Class name as the type id. More over, VESCollector invokes json-schema-validator, which is where jackson-databind is used, post event  serialization primarily for schema validation. Thus, we believe that the reported vulnerability is a false positive.

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-446

dcaegen2/services/mapper com.fasterxml.jackson.core

Vulnerable artifact:

Vulnerability report: incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

False Positive Classification Reasoning:

In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-467

dcaegen2/services/mapperorg.springframework

Vulnerable artifact:

Dependency org.springframework:spring-expression:jar:5.0.4.RELEASE located at Module org.onap.dcaegen2.services.analyticsmapper.tca:dcae-analytics-tcavesadapter:snmpmapper:jar:20.2.0-SNAPSHOT

Although the offending dependency appears in all above artifacts, it is only the direct dependent of "dcae-analytics-model". All other uses are transient dependencies through this artifact. Hence the analysis below applies to the "dcae-analytics-model" artifact.

Vulnerability report:0.1

Vulnerability report:

older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

False Positive Classification Reasoning:

There In mapper, there is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence STOMP over websocket. There fore we believe that this vulnerability report is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-412467

dcaegen2/analyticsservices/tcamappercom.fasterxml.jackson.core

Vulnerable artifactsartifact:

<same as Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 above>

False Positive Classification Reasoning

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-412

dcaegen2/platform/inventory-apicom.fasterxml.jackson.core

Vulnerable artifact:

False Positive Classification Reasoning

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report .9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1

Vulnerability report:

jackson-databind is vulnerable to Remote Code Execution (RCE). A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

False Positive Classification Reasoning:

In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-423467

dcaegen2/collectorsservices/vesmapper com.fasterxml.jackson.coreorg.springframework

Vulnerable artifact:

Dependency com.fasterxml.jackson.core:jackson-databindorg.springframework:spring-webmvc:jar:25.0.84.11 RELEASE located at Module org.onap.dcaegen2.collectorsservices.mapper.vesvesadapter:VESCollectorsnmpmapper:jar

Vulnerability report:

CVE-2017-7525 originally reports that the application is vulnerable by using this component, when default typing is enabled. More details about the vulnerability is provided by https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization:0.0.1

Vulnerability report:

older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

False Positive Classification Reasoning:

The org.onap.dcaegen2.collectors.ves:VESCollector code does not enable use of global type information, using Class name as the type id. More over, VESCollector invokes json-schema-validator, which is where jackson-databind is used, post event  serialization primarily for schema validation. Thus, we believe that the reported vulnerability is a false identified vulnerability exists when serving static artifact from Windows host. Our use is neither from a Windows host, or serving static file. Therefore we believe this is afalse positive.

Jira Legacy
serverSystem Jira
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-446

dcaegen2/services/mapper com.fasterxml.jackson.core

467

dcaegen2/services/prhcom.fasterxml.jackson.core

incomplete fix for the CVE-2017-7525 deserialization flaw

FasterXML 2.9.5 released March 2018, supposed to correct this behavior (in tests currently).

After FasterXML upgrade to 2.9.5, we still have negative CLM scan results, we will be constantly looking at newer FasterXML version, providing permanent correction of bugs found in 2.9.x.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-

dcaegen2/services/mapperorg.springframework

Vulnerable artifact:

Dependency org.springframework:spring-expression:jar:5.0.4.RELEASE located at Module org.onap.dcaegen2.services.mapper.vesadapter:snmpmapper:jar:0.0.1

Vulnerability report:

older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

False Positive Classification Reasoning:

In mapper, there is no use of STOMP over websocket. There fore we believe that this is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-467

dcaegen2/services/mappercom.fasterxml.jackson.coreVulnerable artifact:

426


All vulnerabilities addressed, according to CLM scan on 04/21. https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/reports/dcaegen2-services-prh/a66b0ace9ec046c18cda082800e0fddc

    
dcaegen2/analytics/tca-gen2  com.fasterxml.jackson.coreVulnerable artifact:


Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-core:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapteranalytics.tca-gen2:dcae-analytics-tca-model:jar:3.0.0.1

Vulnerability report:

jackson-databind is vulnerable to Remote Code Execution (RCE). A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

False Positive Classification Reasoning:

In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vunerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-467

dcaegen2/services/mapperorg.springframework

Vulnerable artifact:

Dependency org.springframework:spring-webmvc:jar:5.0.4.RELEASE located at Module -SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-web:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-test:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:snmpmapperanalytics.tca-gen2:dcae-analytics-web:jar:0.0.1

Vulnerability report:

older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

False Positive Classification Reasoning:

The identified vulnerability exists when serving static artifact from Windows host. Our use is neither from a Windows host, or serving static file. Therefore we believe this is afalse positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-467

dcaegen2/services/prhcom.fasterxml.jackson.core

incomplete fix for the CVE-2017-7525 deserialization flaw

FasterXML 2.9.5 released March 2018, supposed to correct this behavior (in tests currently).

After FasterXML upgrade to 2.9.5, we still have negative CLM scan results, we will be constantly looking at newer FasterXML version, providing permanent correction of bugs found in 2.9.x.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-426

All vulnerabilities addressed, according to CLM scan on 04/21. https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/reports/dcaegen2-services-prh/a66b0ace9ec046c18cda082800e0fddc

    dcaegen2/analytics/tca-gen2  com.fasterxml.jackson.coreVulnerable artifact:

3.0.0-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.



 

False Positive Classification Reasoning to be confirmed

if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.

dcaegen2/analytics/tca-gen2  org.springframework

spring-aop

Vulnerability report

CVE-2018-1258


Update spring-aop to newer version 5.0.8.RELEASE versiondcaegen2/analytics/tca-gen2  org.springframework.data

spring-data-commons

Vulnerability report

CVE-2018-1259



Update spring-data-commons to 2.0.8.RELEASE version dcaegen2/analytics/tcacom.fasterxml.jackson.core

Vulnerable artifact:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-core:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-model:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-modeltca-web:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-coretest:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-modelweb:jar:3.0.0-SNAPSHOTDependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-web:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-test:jar:3.0.0-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

False Positive Classification Reasoning to be confirmed

if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.

dcaegen2/analytics/tcacom.fasterxml.jackson.core

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-

databind

core:jar:2.

9

4.

5

4 located at Module org.onap.dcaegen2.analytics.tca

-gen2

:dcae-analytics-

web:jar:3.0.0-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

 

False Positive Classification Reasoning to be confirmed

if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.

dcaegen2/analytics/tca-gen2  org.springframework

spring-aop

Vulnerability report

CVE-2018-1258

Update spring-aop to newer version 5.0.8.RELEASE versiondcaegen2/analytics/tca-gen2  org.springframework.data

spring-data-commons

Vulnerability report

CVE-2018-1259

Update spring-data-commons to 2.0.8.RELEASE version dcaegen2/analytics/tcacom.fasterxml.jackson.core

Vulnerable artifact:

aai:jar:2.2.1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-common:jar:2.2.1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-plugins:jar:2.2.1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-tca:jar:2.2.1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-

databind

core:jar:2.

9

4.

5

4 located at Module org.onap.dcaegen2.analytics.tca

-gen2

:dcae-analytics-

model

common:jar:

3

2.

0

2.

0

1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-

databind

core:jar:2.

9

4.

5

4 located at Module org.onap.dcaegen2.analytics.tca

-gen2

:dcae-analytics-

tca-core

dmaap:jar:

3

2.

0

2.

0

1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-

databind

core:jar:2.

9

4.

5

4 located at Module org.onap.dcaegen2.analytics.tca

-gen2

:dcae-analytics-

tca-model

it:jar:

3

2.

0

2.

0

1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-

databind

core:jar:2.

9

4.

5

4 located at Module org.onap.dcaegen2.analytics.tca

-gen2

:dcae-analytics-

tca-web

model:jar:

3

2.

0

2.

0

1-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-

databind

core:jar:2.

9

4.

5

4 located at Module org.onap.dcaegen2.analytics.tca

-gen2:dcae-analytics-test:jar:3.0.0-SNAPSHOT
Dependency

:dcae-analytics-tca:jar:2.2.1-SNAPSHOT

Vulnerability report:

CVE-2017-7525

False Positive Classification Reasoning

There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-412

dcaegen2/analytics/tcacom.fasterxml.jackson.core

Vulnerable artifacts:

<same as jackson-databind

:jar:

2.

9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-web:jar:3.0.0-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

False Positive Classification Reasoning to be confirmed

if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.

dcaegen2/analytics/tca

4.4 above>

Vulnerability report:

SONATYPE-2016-0397

SONATYPE-2017-0355


False Positive Classification Reasoning to be confirmed

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".

dcaegen2/collectors/datafileorg.apache.tomcat.embed 

tomcat-embed-core

Vulnerability report

CVE-2018-8014

 Update tomcat-embed-core to 8.5.32 versiondcaegen2/collectors/datafile org.bouncycastle 

bcprov-jdk15on

Vulnerability report

CVE-2018-1000613

CVE-2018-1000180

Upgrade version. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.dcaegen2/collectors/datafile com.fasterxml.jackson.core

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.1-SNAPSHOT

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-

core

databind:jar:2.

4

9.

4

5 located at Module org.onap.dcaegen2

.analytics.tca:dcae-analytics-cdap-common:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-plugins:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-tca:jar:2.2.1-SNAPSHOT
Dependency

.collectors.datafile:datafile-app-server:jar:1.0.0-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

dcaegen2/collectors/datafile org.springframework

Vulnerability report

CVE-2018-1258

 Update spring-aop to newer version 5.0.8.RELEASE version dcaegen2/collectors/hv-vescom.fasterxml.jackson.core:jackson-core:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-common:jar:2.2.1-SNAPSHOT

jackson-databind


Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-

core

databind:jar:2.

4

9.4 located at Module org.onap.dcaegen2.

analytics

collectors.

tca

hv-ves:

dcae

hv-

analytics

collector-

dmaap

coverage:

jar

pom:

2

1.

2

0.

1

0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-

core

databind:jar:2.

4

9.4 located at Module org.onap.dcaegen2.

analytics

collectors.

tca

hv-ves:

dcae

hv-

analytics

collector-

it

ct:jar:

2

1.

2

0.

1

0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-

core

databind:jar:2.

4

9.4 located at Module org.onap.dcaegen2.

analytics

collectors.

tca:

hv-ves:hv-collector-dcae-

analytics

app-

model

simulator:jar:

2

1.

2

0.

1

0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-

core

databind:jar:2.

4

9.4 located at Module org.onap.dcaegen2.

analytics

collectors.

tca

hv-ves:

dcae

hv-

analytics

collector-

tca

utils:jar:

2

1.

2

0.

1-SNAPSHOT

Vulnerability report:

CVE-2017-7525

False Positive Classification Reasoning

There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyDCAEGEN2-412

dcaegen2/analytics/tca

0-SNAPSHOT
Dependency com.fasterxml.jackson.core

Vulnerable artifacts:

<same as jackson-databind 2.4.4 above>

Vulnerability report:

SONATYPE-2016-0397

SONATYPE-2017-0355

False Positive Classification Reasoning to be confirmed

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".

dcaegen2/collectors/datafileorg.apache.tomcat.embed 

tomcat-embed-core

Vulnerability report

:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-xnf-simulator:jar:1.0.0-SNAPSHOT

Vulnerability report:

CVE-2018-7489

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

 If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

 dcaegen2/collectors/ves org.apache.tomcat.embed

tomcat-embed-core 

Vulnerability report:

CVE-2018-8014

 Update tomcat-embed-core to 8.5.32 versiondcaegen2/collectors/datafile org.bouncycastle 

bcprov-jdk15on

Vulnerability report

CVE-2018-1000613

CVE-2018-1000180

Upgrade version. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later..5.32 versiondcaegen2/collectors/datafileves com com.fasterxml.jackson.corejackson-databind 

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.56 located at Module org.onap.dcaegen2.collectors.datafile:datafile-app-serverves:VESCollector:jar:1.03.01-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

dcaegen2/collectors/datafile org.springframework

Vulnerability report

CVE-2018-1258

 Update spring-aop to newer version 5.0.8.RELEASE version dcaegen2/collectors/hv-vescom.fasterxml.jackson.core

jackson-databind

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-coverage:pom:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-ct:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-dcae-app-simulator:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-utils:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-xnf-simulator:jar:1.0.0-SNAPSHOT

502


False Positive Classification Reasoning

The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.

 dcaegen2/platform/inventory-apicom.fasterxml.jackson.core 

jackson-databind

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.8.7 located at Module org.onap.dcaegen2.platform:inventory-api:jar:3.0.3

Vulnerability report:

CVE-2017-7525

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

 

False Positive Classification Reasoning

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.

dcaegen2/platform/inventory-api org.eclipse.jettyjetty-http, 9.4.2.v20170220 


Vulnerability report:

CVE-2017-7657

CVE-2017-7658

 Upgrade to latest version - 9.4.12.v20180830dcaegen2/platform/inventory-api org.eclipse.jettyjetty-server, 9.4.2.v20170220 


Vulnerability report:

CVE-2018-12538

 Upgrade to latest version - 9.4.12.v20180830dcaegen2/services/mapper  org.codehaus.groovy

groovy-all, 2.4.4 

Vulnerability report:

CVE-2016-6814

 Upgrade to latest version - 2.4.15 dcaegen2/services/mapper  org.apache.tomcat.embedtomcat-embed-core, 8.5.31 

Vulnerability report:

CVE-2018-8014

 Update tomcat-embed-core to 8.5.32 version dcaegen2/services/mapper  org.springframeworkspring-expression, 5.0.3.RELEASE 


Vulnerability report:

CVE-2018-

7489

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

 If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

 dcaegen2/collectors/ves org.apache.tomcat.embed

tomcat-embed-core 

Vulnerability report:

CVE-2018-8014

 Update tomcat-embed-core to 8.5.32 versiondcaegen2/collectors/ves

1270

 Update to 5.0.9.RELEASE version dcaegen2/services/mapper  com.fasterxml.jackson.corejackson-databind, 2.9.5 

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

 

To be assessed Jackson version can be updated to 2.9.6 (for consistency within application) and recommendation below for 2.9.6 can be addressed.

 dcaegen2/services/mapper  com.fasterxml.jackson.corejackson-databind  jackson-databind, 2.9.6

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.collectorsservices.vesmapper:VESCollectorsnmpmapper:jar:10.30.1-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

502

False Positive Classification Reasoning

The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.

 dcaegen2/platform/inventory-apicom.fasterxml.jackson.core 

jackson-databind

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.8.7 located at Module org.onap.dcaegen2.platform:inventory-api:jar:3.0.3

Vulnerability report:

CVE-2017-7525

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

 

False Positive Classification Reasoning

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.

dcaegen2/platform/inventory-api org.eclipse.jettyjetty-http, 9.4.2.v20170220 

deserialize it.

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

 dcaegen2/services/mapper  org.springframework.dataspring-data-commons, 2.0.6.RELEASE 


Vulnerability report:

jetty-server, 9.4.2.v20170220 

CVE-20172018-7657

CVE-2017-7658

 Upgrade to latest version - 9.4.12.v20180830dcaegen2/platform/inventory-api org.eclipse.jetty

1259

 Update to 2.0.8.RELEASE version dcaegen2/services/mapper  xercesxercesImpl,2.11.0-atlassian-01 

Vulnerability report:

CVE-20182012-125380881

 Upgrade to latest version - 9.4.12.v20180830 Update to 2.12.0 version dcaegen2/services/mapper  org.codehausapache.groovyhttpcomponentsgroovy-all

httpclient,

2

4.

4

5.

2

Vulnerability report:

CVE

SONATYPE-

2016-6814 Upgrade to latest version - 2.4.15 dcaegen2/services/mapper  org.apache.tomcat.embedtomcat-embed-core, 8.5.31 

Vulnerability report:

CVE-2018-8014

 Update tomcat-embed-core to 8.5.32 version

2017-0359

Sonatype CWE: 22

The Apache httpcomponents component  is vulnerable to Directory Traversal. The normalizePath() function in the URIBuilder class allows directory traversal characters such as ../. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure

 Update to 4.5.3 or later dcaegen2/services/mapper  org.springframework

spring-

expression

core, 5.0.3.

RELEASE 

RELEASE

Vulnerability report:

CVE-2018-

1270

1272

 Update Update to . 5.0.95.RELEASE or later version dcaegen2/services/mapper prh com org.fasterxmlapache.jacksontomcat.coreembedjackson

tomcat-embed-

databind, 2.9.5 

Vulnerable artifacts:Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1core, 8.5.28

Vulnerability report:

SONATYPECVE-20172018-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

 

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995)8014

Update to 8.5.32 version dcaegen2/services/prh org.bouncycastle

bcprov-jdk15on, 1.59

Vulnerable artifacts:

Dependency org.bouncycastle:bcprov-jdk15on:jar:1.59 located at Module org.onap.dcaegen2.services.prh:prh-app-server:jar:1.0.0-SNAPSHOT

Vulnerability report:

CVE-2018-1000613

CVE-2018-1000180

No alternate (unflagged) version available. To be assessed if this dependency can be removed. dcaegen2/services/mapper prh com.fasterxml.jackson.core jackson-databind, 2.9.6

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

 

  

Vulnerable artifacts:

Vulnerability report:

    Vulnerable artifacts:

Vulnerability report: