This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.
This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.
It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.
In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.
The following table is addressing 2 different scenarios:
- Confirmation of a vulnerability including an action
- False Positive
The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)
...
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
...
False Positive Classification Reasoning to be confirmed
if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.
...
spring-aop
Vulnerability report
...
spring-data-commons
Vulnerability report
...
Vulnerable artifact:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-core:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-model:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-web:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-test:jar:3.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-web:jar:3.0.0-SNAPSHOT
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
...
False Positive Classification Reasoning to be confirmed
if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.
...
Vulnerable artifacts:
...
Vulnerability report:
False Positive Classification Reasoning
There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.
...
| Jira Legacy | ||||||
|---|---|---|---|---|---|---|
|
...
Vulnerable artifacts:
<same as jackson-databind 2.4.4 above>
Vulnerability report:
SONATYPE-2016-0397
SONATYPE-2017-0355
...
False Positive Classification Reasoning to be confirmed
There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".
...
tomcat-embed-core
Vulnerability report
...
bcprov-jdk15on
Vulnerability report
...
Vulnerable artifacts:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.collectors.datafile:datafile-app-server:jar:1.0.0-SNAPSHOT
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
...
To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true
If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
...
Vulnerability report
...
jackson-databind
Vulnerable artifacts:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-coverage:pom:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-ct:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-dcae-app-simulator:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-utils:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-xnf-simulator:jar:1.0.0-SNAPSHOT
Vulnerability report:
...
To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true
If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
...
tomcat-embed-core
Vulnerability report:
...
Vulnerable artifacts:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.collectors.ves:VESCollector:jar:1.3.1-SNAPSHOT
Vulnerability report:
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
False Positive Classification Reasoning
The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.
...
jackson-databind
Vulnerable artifacts:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.8.7 located at Module org.onap.dcaegen2.platform:inventory-api:jar:3.0.3
Vulnerability report:
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
...
False Positive Classification Reasoning
According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.
...
Vulnerability report:
...
Vulnerability report:
...
groovy-all, 2.4.4
Vulnerability report:
...
Vulnerability report:
...
Vulnerability report:
...
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Impact Analysis | Action |
|---|---|---|---|
| dcaegen2/analytics/tca-gen2 | com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. | Request exception |
| dcaegen2/analytics/tca | com.fasterxml.jackson.core | False Positive - we are not using the Jackson code in the manner that exposes the vulnerability. There is no use of | No Action (same version as R2) |
| dcaegen2/analytics/tca | com.fasterxml.jackson.core | False Positive There is no use of either | No Action (same version as R2) |
| dcaegen2/collectors/datafile | com.fasterxml.jackson.core | Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. At the moment we haven't got any workaround. | Request exception |
| dcaegen2/collectors/hv-ves | com.fasterxml.jackson.core | False Positive Vulnerable artifacts are used only in following cases:
Other modules affected are component-level-tests and coverage report which also are not used in production environment. | Request exception |
| dcaegen2/collectors/ves | com.fasterxml.jackson.core | False Positive The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here. | Request exception |
| dcaegen2/platform/inventory-api | com.fasterxml.jackson.core | False Positive According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive. | Request exception |
| dcaegen2/services/mapper | com.fasterxml.jackson.core |
False Positive There is no use of | Request exception | |
| dcaegen2/services/prh | com.fasterxml.jackson.core |
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
To be assessed Jackson version can be updated to 2.9.6 (for consistency within application) and recommendation below for 2.9.6 can be addressed.
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true
If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
Vulnerability report:
Vulnerability report:
httpclient, 4.5.2
Vulnerability report:
SONATYPE-2017-0359
Sonatype CWE: 22
The Apache httpcomponents component is vulnerable to Directory Traversal. The normalizePath() function in the URIBuilder class allows directory traversal characters such as ../. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure
spring-core, 5.0.3.RELEASE
Vulnerability report:
tomcat-embed-core, 8.5.28
Vulnerability report:
bcprov-jdk15on, 1.59
Vulnerable artifacts:
Dependency org.bouncycastle:bcprov-jdk15on:jar:1.59 located at Module org.onap.dcaegen2.services.prh:prh-app-server:jar:1.0.0-SNAPSHOT
Vulnerability report:
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT
Vulnerability report:
SONATYPE-2017-0312
jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.
To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true
If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
Vulnerable artifacts:
Vulnerability report:
Only used by Swagger which get jackson in connection with API generation(from Spring). So if we exclude jackson, we will get runtime exception according to lack of jackson library. | Request exception | ||||||||||||
| dcaegen2/collectors/ves | org.apache.tomcat.embed | Requires moving to tomcat-embed-websocket:8.5.34 | Added 10/29 - Request exception
| ||||||||||
| dcaegen2/platform/inventory-api | org.postgresql | Requires moving postgresql to 42.2.5 | Added 10/29 - Request exception | ||||||||||
| dcaegen2/analytics/tca-gen2 | io.undertow | No non-vulnerable version available. | Request exception | ||||||||||
| dcaegen2/analytics/tca | com.google.guava | No non-vulnerable version available. | Request exception | ||||||||||
| dcaegen2/analytics/tca | commons-codec | Not applicable as base32 encoding is not used | Request exception | ||||||||||
| dcaegen2/collectors/datafile | org.springframework | Newer non vulnerable version available (5.1.0.RELEASE) | Upgrade to newer version
| ||||||||||
| dcaegen2/collectors/datafile | com.jcraft | Not applicable; as the application doesn't run on windows | Request exception | ||||||||||
| dcaegen2/collectors/hv-ves | org.apache.kafka | Newer non vulnerable version available | Request exception | ||||||||||
| dcaegen2/collectors/ves | org.springframework | Requires moving to spring-web:5.1.1.RELEASE | Added 10/29 - Request exception
| ||||||||||
| dcaegen2/collectors/ves | com.googlecode.libphonenumber | Not applicable. | Request exception | ||||||||||
| dcaegen2/collectors/ves | javax.mail | Not applicable; as the specified method is not invoked | Request exception | ||||||||||
| dcaegen2/collectors/ves | org.springframework.security | spring-security-web:5.0.6.RELEASE flagged No non-vulnerable version available. | Added 10/30 - Request exception | ||||||||||
| dcaegen2/platform/inventory-api | org.postgresql : postgresql | No non-vulnerable version available. | Request exception | ||||||||||
| dcaegen2/services/mapper | dom4j : dom4j : | Not applicable; as the specified method is not invoked | Request exception | ||||||||||
| dcaegen2/services/mapper | org.springframework : spring-web | No non-vulnerable version available & Unknown license reported | Request exception | ||||||||||
| dcaegen2/services/mapper | ognl : ognl : 3.0.9 | Newer non vulnerable version available | Upgrade to newer version available
| ||||||||||
| dcaegen2/services/mapper | org.postgresql : postgresql : 42.2.4 | No non-vulnerable version available. | Request exception | ||||||||||
| dcaegen2/services/mapper | xerces : xercesImpl : 2.12.0 | No non-vulnerable version available. | Request exception | ||||||||||
| dcaegen2/services/prh | org.springframework : spring-web | Newer non vulnerable version available | Upgrade to newer version available
|