This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.
...
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
| Repository | Group | Impact Analysis | Action |
|---|---|---|---|
| portal | com.fasterxml.jackson.core | False positive. Analysis: This vulnerability is not exposed from the portal’s code, because
Spring version 4.2.3 will take care of this. Comments from Nexus-IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. |
Not vulnerable in ONAP | |||||||||||
| portal |
| Vulnerability removed as per nexus-iq | |||||||||
| Vulnerability removed as per nexus-iq | |||||||||||
| portal | moments | All available versions of moment.js are vulnerable. Upgrade is not an option. Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted. See below CVE 185 information: The moment package is vulnerable to Regular Expression Denial of Service (ReDoS). The monthsShortRegex(),monthsRegex(),weekdaysRegex(),weekdaysShortRegex(), and weekdaysMinRegex() functions in the moment.js, moment-with-locales.js, and regex.js files use a vulnerable regular expression while parsing the date input. A remote attacker can exploit this vulnerability by crafting a date input containing a very long sequence of repetitive characters which, when parsed, consumes available CPU resources and results in Denial Of Service. | Not vulnerable in ONAP | ||||||||
| portal, portal-sdk | angular | Analysis: Cannot upgrade angular as this will require changes on all the Portal pages. From our analysis the vulnerability cannot be exploited because the portal application follows the below design recommendations provided by nexus-iq report. Recommendation by nexus-iq for this vulnerability (SONATYPE-2016-0064): It's best to design your application in such a way that users cannot change client-side templates.
| Not vulnerable in ONAP | ||||||||
| portal | commons-beanutils | All available versions of common-beanutils are vulnerable. Upgrade is not an option. Analysis: The portal code do not use classloader so it is not vulnerable in ONAP. CVE CWE: 20 | Not vulnerable in ONAP | ||||||||
| portal-sdk | org.apache.poi | Analysis: Not vulnerable as we do not use POI to read documents. We use only to generate XLS from our own data. CVE CWE:399: Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
| Not vulnerable in ONAP | ||||||||
False positive. Analysis: This vulnerability is not exposed from the portal’s code, because
Spring version 4.2.3 will take care of this. Comments from Nexus-IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
| Vulnerability removed as per nexus-iq | ||||||||||
portal, portal-sdk | org.springframework | The impact of the springframework library is all over the project. So have to be very careful in upgrading the versions. At least trying to resolve the multiple version use in Dublin -
| Request exception | ||||||||
| Not seen in the reports on the master branch as of 11 Oct 2018 | Vulnerability removed as per nexus-iq | ||||||||||
| portal-sdk | io.netty | Not clear what is the issue based on the Nexus IQ report information. | Request exception | ||||||||
| portal, portal-sdk | commons-fileupload | If not false positive, can be handled with the new version upgrade which do not have vulnerability.
| Target fix in Dublin release | ||||||||
| portal-sdk | xerces | There is no non vulnerable version of this package.
| Request exception | ||||||||
| portal-sdk | bootstrap | There is no non vulnerable version of this package. | Request exception | ||||||||
| Not seen in the reports on the master branch as of 11 Oct 2018 | Vulnerability removed as per nexus-iq | ||||||||||
portal, portal-sdk | org.bouncycastle | If not false positive, can be handled with the new version upgrade which do not have vulnerability. Bouncy Castle Java Cryptography APIs have vulnerabilities
| Upgrade to version 1.6. | ||||||||
| portal | org.codehaus.groovy | If not false positive, can be handled with the new version upgrade which do not have vulnerability.
| |||||||||
| portal | org.eclipse.jetty | If not false positive, can be handled with the new version upgrade which do not have vulnerability.
| |||||||||
portal, portal-sdk | org.apache.lucene | Not used, this will be removed.
| |||||||||
| portal | org.apache.tomcat.embed | There is no non vulnerable version of this component/package.
| |||||||||
| portal | org.apache.cxf | False positive We do not use the below code, which is vulnerable. System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
| Not Vulnerable | ||||||||
| portal | org.hibernate | If not false positive, can be handled with the new version upgrade which do not have vulnerability.
|