Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.

It is recommended to first  first update to the latest version of  of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.

In the case where you have nested third party components (a third party component embedding another third party component) and there is is NO CVE number  number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.

...

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)

RepositoryGroupImpact AnalysisAction
portal

com.fasterxml.jackson.core

False positive.

Analysis: This vulnerability is not exposed from the portal’s code, because

  1. The portal does not pass any untrusted data for deserialization, as there is XSS/XSRF validation enabled in the portal’s backend code.
  2. and the default typing (ObjectMapper.setDefaultTyping()) is not called as we use concrete java types.
  3. and we use Spring Security 4.2.3 as recommended in the nexus-iq report.


Spring version 4.2.3 will take care of this.

Comments from Nexus-IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.

 

Not vulnerable in ONAP

portal
javax.servlet

No clear instruction on what to upgrade to

Vulnerability removed as per nexus-iqportal-sdk
commons-httpclientThe recommendation is to use org.apache.httocomponents. But we are not directly using the said package/class. It comes as a dependency.Vulnerability removed as per nexus-iqportal
moments

All available versions of moment.js are vulnerable. Upgrade is not an option.

Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted. See below

CVE 185 information: The moment package is vulnerable to Regular Expression Denial of Service (ReDoS). The monthsShortRegex(),monthsRegex(),weekdaysRegex(),weekdaysShortRegex(), and weekdaysMinRegex() functions in the moment.js, moment-with-locales.js, and regex.js files use a vulnerable regular expression while parsing the date input. A remote attacker can exploit this vulnerability by crafting a date input containing a very long sequence of repetitive characters which, when parsed, consumes available CPU resources and results in Denial Of Service.


Not vulnerable in ONAP
portal, portal-sdkangular

Analysis: Cannot upgrade angular as this will require changes on all the Portal pages.

From our analysis the vulnerability cannot be exploited because the portal application follows the below design recommendations provided by nexus-iq report.

Recommendation by nexus-iq for this vulnerability (SONATYPE-2016-0064): 

It's best to design your application in such a way that users cannot change client-side templates.

  • Do not mix client and server templates
  • Do not use user input to generate templates dynamically
  • Do not run user input through $scope.$eval (or any of the other expression parsing functions listed above)
  • Consider using {@link ng.directive:ngCsp CSP} (but don't rely only on CSP)

Not vulnerable in ONAP


portalcommons-beanutils

All available versions of common-beanutils are vulnerable. Upgrade is not an option.

Analysis: The portal code do not use classloader so it is not vulnerable in ONAP.

CVE CWE: 20
Description from CVE
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Not vulnerable in ONAP
portal-sdkorg.apache.poi

Analysis: Not vulnerable as we do not use POI to read documents. We use only to generate XLS from our own data.

CVE CWE:399:

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPORTAL-446

Not vulnerable in ONAP

portal,

portal-sdkcom.codehaus.jackson

False positive.

Analysis: This vulnerability is not exposed from the portal’s code, because

The

portal

does not pass any untrusted data for deserialization, as there is XSS/XSRF validation enabled in the portal’s backend code.
  • and we use Spring Security 4.2.3 as recommended in the nexus-iq report.
  • Spring version 4.2.3 will take care of this.

    Comments from Nexus

    -

    IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.
    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-442
    Vulnerability removed as per nexus-iq

    portal,

    portal-

    sdk

    org.springframework

    The impact of the springframework library is all over the project. So have to be very careful in upgrading the versions.

    At least trying to resolve the multiple version use in Dublin -

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-423

    Request exception
    portal-sdk
    com.google.guavaportal-sdk
    Not seen in the reports on the master branch as of 11 Oct 2018Vulnerability removed as per nexus-iq
    io.nettyNot clear what is the issue based on the Nexus IQ report information.Request exception
    portal, portal-sdkcommons-fileupload

    If not false positive, can be handled with the new version upgrade which do not have vulnerability.

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-443


    Explanation

    Apache Commons FileUpload contains a resource leak which may lead to a Denial of Service (DoS) attack.

    Target fix in Dublin release
    portal-sdkxerces

    There is no non vulnerable version of this package.

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-445


    Explanation

    Apache Xerces2 is vulnerable to a Denial of Service (DoS) attack.

    Request exception
    portal-sdkbootstrapThere is no non vulnerable version of this package.Request exception
    portalpostgresqlNot seen in the reports on the master branch as of 11 Oct 2018Vulnerability removed as per nexus-iq

    portal,

    portal-sdk

    org.bouncycastle

    If not false positive, can be handled with the new version upgrade which do not have vulnerability.

    Bouncy Castle Java Cryptography APIs have vulnerabilities

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-444

    Upgrade to version 1.6.

    Explanation

    Bouncy Castle is vulnerable to Remote Code Execution (RCE).


    we will try to handle them in Dublin release based on the resource availability and priority
    portalorg.codehaus.groovy

    If not false positive, can be handled with the new version upgrade which do not have vulnerability.

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-447

    Explanation

    Groovy is vulnerable to insecure deserialization leading to Remote Code Execution (RCE).


    we will try to handle them in Dublin release based on the resource availability and priority
    portalorg.eclipse.jetty

    If not false positive, can be handled with the new version upgrade which do not have vulnerability.

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-448

    Explanation

    Eclipse Jetty Server is vulnerable to HTTP request smuggling.


    we will try to handle them in Dublin release based on the resource availability and priority

    portal,

    portal-sdk

    org.apache.lucene

    Not used, this will be removed.

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-440

    we will try to handle them in Dublin release
    portalorg.apache.tomcat.embed

    There is no non vulnerable version of this component/package.

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-449

    Explanation

    Apache Tomcat is vulnerable to a Cross-Origin attack due to the insecure default configuration of the CORS filter.


    Request exception
    portalorg.apache.cxf

    False positive

    We do not use the below code, which is vulnerable.

    System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-450

    Not Vulnerable
    portalorg.hibernate

    If not false positive, can be handled with the new version upgrade which do not have vulnerability.

    Jira Legacy
    serverSystem Jira
    serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
    keyPORTAL-441

    Explanation

    The Hibernate Validator (HV) package is vulnerable to a privilege escalation vulnerability.


    we will try to handle them in Dublin release based on the resource availability and priority

    CLM Report

    portal:

    Image Added

    portal-sdk:

    Image Added