Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

RepositoryGroupImpact AnalysisAction
SOcom.fasterxml.jackson.core

False positive

No Action.

Jackson: can be an issue if we leave on default typing

All of the existing jackson databind have vulnerabilities issues.   In

In SO we do not use default typing. We use strict parsing and validation of deserialized data.

 There

There is no unknown source data  from which SO reads the application data (xml/json).

com.fasterxml.jackson.core  commons

No Action.

All of the existing jackson databind have vulnerabilities issues.

SOCommons-beanutils

Remote Code Execution (RCE) using class loader is


the reported issue, current SO does not handle the


specific scenarios.

No Action

  All

All of the existing jackson databind have vulnerabilities issues.

SOcommons-
collections 
collectionsPulled in by Springboot, indirect
dependency    
dependencyWill handle in the E - release SO-1778
 Need to upgrade to the 3.2.2 version, need to get the impact analysis
SOdom4jPulled in by Springboot, indirect dependencyNo Action
All of the existing jackson databind have vulnerabilities issues.
SOio.springfoxUsed in the  vnfm-service and  vnfm-simulator moduleNeed to upgrade to 2.7.0,2.8.0 or 2.9.2 versions we will handle in the E release
SOjquery 1.10.2Has no direct usage, comes along with the spring boot in the catalog-db-adapter jar. Is not used in the SO functionality
NO
No Action
.
SOjs-yaml 3.4.6
  • Used only in the simulator code
  • js-yaml.min.js located at vnfm-simulator/vnfm-service/target/vnfm-service-1.4.0-SNAPSHOT.jar/BOOT-INF/lib/springfox-swagger-ui-2.6.1.jar/META-INF/resources/webjars/springfox-swagger-ui/lib
No Action
SOorg.apache.tomcat.embedPulled in by Springboot, indirect dependencyNeed to upgrade to from 9.0.20 will handle  in the E release
SOorg.slf4j Pulled in by Springboot 1.5.13-RELEASE and also specified by SO

Need to upgrade to 1.7.26 will handle


in the E release

 
SOorg.springframeworkPulled in by Springboot

Need to upgrade to 5.0.10 or 5.1.5

Will handle in the E - release SO-1778

org.springframework.data : spring-data-rest-hal-browser
 org.springframework.securityPulled in by SpringbootNeed to upgrade to 5.0.10 or 5.1.5

 Will handle in the E - release
SO
-1778
org.webjars jquery
1.10.2

Not used in the code comes from the springframework

  • jquery-1.10.2.js located at adapters/mso-catalog-db-adapter/target/mso-catalog-db-adapter-1.4.0-SNAPSHOT.jar/BOOT-INF/lib/spring-data-rest-hal-browser-3.0.10.RELEASE.jar/META-INF/spring-data-rest/hal-browser/vendor/js
No Action
SOjavax.servlet
 
No direct reference in the code, this should be pulled in by the framework
All of the existing jackson databind have vulnerabilities issues.

SOorg.camunda.bpm
 
Used in the  bpmn module and core moduleNeed to upgrade 7.11.0-alpha1,7.11.0-alpha2 and 7.11.0-alpha3 we will in the E release
SOorg.json
 
Used in the  bpmn module, adapters module, mso-api-handler module,  comman modules and asdc-
contraoller
controllerAll of the existing jackson databind have vulnerabilities issues.
SOcom.googlecode.libphonenumberPulled in by SpringbootNeed to upgrade to 7.2.3 or any above.
SOcom.squareup.okhttpUsed by so adapters and vnfm-simulatorAll of the existing jackson databind have vulnerabilities issues.
SOcommons-codec//dependency is mentioned in the main project pom.xml//All of the existing jackson databind have vulnerabilities issues.
SOcommons-fileupload Used by so bpmn module.Need to upgrade to 1.
4
SOjavax.mailPulled in by springboot.
 All
All of the existing jackson databind have vulnerabilities issues.
SOorg.springframework.data
 

need to upgrade to 2.0.14Release or 2.1.6RELEASE and will be handled in the E-release. 
SOorg.springframework.securityUsed in so adapters, asdc-controller,bpmn,common,mso-api-handlers,docker and vnfm-simulator.need to upgrade to 5.0.12Eelease or 5.1.5RELEASE and will be handled in the E-release.
 
SOorg.webjars bootstrapPulled in by springboot.Need to upgrade to 4.1.3 and will handle in the E-release.
SOuikitPulled in by springboot.Need to uprade to 2.26.4,2.27.0,2.27.1,2.27.2,2.27.3, 2.27.4 and will handle in the E-release.
org.apache.cxf   All of the existing jackson databind have vulnerabilities issues.
SOorg.apache.cxf
 
Used in so adapters,bpmn,common,cxf-logging,logger and docker.
 All
All of the existing jackson databind have vulnerabilities issues.
SOcom.google.code.findbugs
 
Used by adapters and common.
 All
All of the existing jackson databind have vulnerabilities issues.
SOorg.hibernate
 
Used in so adapters,asdc-controller,bpmn, common, mso-api-handlers,mso-catalog-db.(cfg, dialect, exceptions and annotations)Need to upgrade to 5.3.7.Final and will handle in the E-release
SOorg.hibernate.common
 
Pulled in by Springboot
 All
All of the existing jackson databind have vulnerabilities issues.
SOorg.mariadb.jdbc
 
Driver is used by yaml files for maraidb connection in modules :adapters,mso-catalog-db,mso-api-handlers,bpmn and asdc-controller.
 All
All of the existing jackson databind have vulnerabilities issues.
SO libscom.fasterxml.jackson.core

False positive

  No Action

All of the exisiting jackson have vunerabilities issues. 

    

Jackson: can be an issue if we leave on default typing 

In SO we do not use default typing. We use strict parsing and validation of deserialized data.

There is no unknown source data  from which SO reads the application data (xml/json).

      

No Action

All of the exisiting jackson have vunerabilities issues.

SO libscommons-codec
 This
This is used for the decoding of the input. contains an Improper Input Validation vulnerability. The only way is to use extra validations added before the actual inputThere is no non vulnerable version of this component. We recommend investigating alternative components or a potential mitigating control.