Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins).  Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

This table will be presented to TSC at Code Freeze milestone (M4) to the TSC.

It is recommended to first update to the latest version of the third party components available. In case the latest third party components still reports some vulnerabilities, you must provide an impact analysis as illustrated in the example below.

In the case where you have nested third party components (a third party component embedding another third party component) and there is NO CVE number for the upstream third party component (meaning the third party component you are embedding), it is recommended to open a vulnerability issue on the upstream third party component.


The following table is addressing 2 different scenarios:

  • Confirmation of a vulnerability including an action
  • False Positive

The information related to Repository, Group, Artifact, Version and Problem Code are extracted from the CLM report (see the below screenshot)

RepositoryGroupImpact AnalysisAction
dcaegen2/analytics/tca-gen2  com.fasterxml.jackson.coreVulnerable artifact:


Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-core:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-model:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-web:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-test:jar:3.0.0-SNAPSHOT

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-web:jar:3.0.0-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.



DCAEGEN2-765

False Positive Classification Reasoning to be confirmed

if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.

dcaegen2/analytics/tca-gen2  org.springframework

spring-aop

Vulnerability report

CVE-2018-1258


DCAEGEN2-765

Update spring-aop to newer version 5.0.8.RELEASE version

dcaegen2/analytics/tca-gen2  org.springframework.data

spring-data-commons

Vulnerability report

CVE-2018-1259



DCAEGEN2-765

Update spring-data-commons to 2.0.8.RELEASE version

 dcaegen2/analytics/tcacom.fasterxml.jackson.core

jackson-databind:jar:2.4.4

Vulnerable artifact:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-common:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-plugins:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-tca:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-common:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-dmaap:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-it:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-model:jar:2.2.1-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-tca:jar:2.2.1-SNAPSHOT

Vulnerability report:


CVE-2017-7525

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

False Positive Classification Reasoning

There is no use of BeanDeserializerFactory class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.


dcaegen2/analytics/tcacom.fasterxml.jackson.core

jackson-core:2.4.4

Vulnerable artifacts:

<same as jackson-databind 2.4.4 above>

Vulnerability report:

SONATYPE-2016-0397

SONATYPE-2017-0355


False Positive Classification Reasoning

There is no use of either UTF8StreamJsonParser or ReaderBasedJsonParser class in artifact "dcae-analytics-model".

dcaegen2/collectors/datafileorg.apache.tomcat.embed 

tomcat-embed-core

Vulnerability report

CVE-2018-8014

DCAEGEN2-764

Update tomcat-embed-core to 8.5.32 version

dcaegen2/collectors/datafile org.bouncycastle 

bcprov-jdk15on

Vulnerability report

CVE-2018-1000613

CVE-2018-1000180

DCAEGEN2-764

Upgrade version. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

dcaegen2/collectors/datafile com.fasterxml.jackson.core

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.collectors.datafile:datafile-app-server:jar:1.0.0-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

DCAEGEN2-764

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

dcaegen2/collectors/datafile org.springframework

Vulnerability report

CVE-2018-1258

DCAEGEN2-764

Update spring-aop to newer version 5.0.8.RELEASE version

 dcaegen2/collectors/hv-vescom.fasterxml.jackson.core

jackson-databind


Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-coverage:pom:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-ct:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-dcae-app-simulator:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-utils:jar:1.0.0-SNAPSHOT
Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-xnf-simulator:jar:1.0.0-SNAPSHOT

Vulnerability report:

CVE-2018-7489

DCAEGEN2-766

False Positive Classification Reasoning

Vulnerable artifacts are used only in following cases:

  1. CSIT robot testsuites (hv-collector-dcae-app-simulator, hv-collector-xnf-simulator) which obviously does not pose a threat
  2. Healthcheck mechanism which ignores client requests and uses ( by dependency to hv-collector-utils ) jackson to create response.

Other modules affected are component-level-tests and coverage report which also are not used in production environment.

Assessment Note

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

 If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).

 dcaegen2/collectors/ves org.apache.tomcat.embed

tomcat-embed-core 

Vulnerability report:

CVE-2018-8014

DCAEGEN2-767

Update tomcat-embed-core to 8.5.32 version

dcaegen2/collectors/ves  com.fasterxml.jackson.corejackson-databind 

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.collectors.ves:VESCollector:jar:1.3.1-SNAPSHOT

Vulnerability report:

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

502

False Positive Classification Reasoning

The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.

 dcaegen2/platform/inventory-apicom.fasterxml.jackson.core 

jackson-databind

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.8.7 located at Module org.onap.dcaegen2.platform:inventory-api:jar:3.0.3

Vulnerability report:

CVE-2017-7525

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

False Positive Classification Reasoning

According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.

dcaegen2/platform/inventory-api org.eclipse.jettyjetty-http, 9.4.2.v20170220 


Vulnerability report:

CVE-2017-7657

CVE-2017-7658

DCAEGEN2-768


Upgrade to latest version - 9.4.12.v20180830

dcaegen2/platform/inventory-api org.eclipse.jettyjetty-server, 9.4.2.v20170220 


Vulnerability report:

CVE-2018-12538

DCAEGEN2-768

Upgrade to latest version - 9.4.12.v20180830

dcaegen2/services/mapper  org.codehaus.groovy

groovy-all, 2.4.4 

Vulnerability report:

CVE-2016-6814

DCAEGEN2-769

Upgrade to latest version - 2.4.15

 dcaegen2/services/mapper  org.apache.tomcat.embedtomcat-embed-core, 8.5.31 

Vulnerability report:

CVE-2018-8014

DCAEGEN2-769

Update tomcat-embed-core to 8.5.32 version

 dcaegen2/services/mapper  org.springframeworkspring-expression, 5.0.3.RELEASE 


Vulnerability report:

CVE-2018-1270

DCAEGEN2-769

Update to 5.0.9.RELEASE version

 dcaegen2/services/mapper  com.fasterxml.jackson.corejackson-databind, 2.9.5 

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

DCAEGEN2-769

 

To be assessed Jackson version can be updated to 2.9.6 (for consistency within application) as jackson related vulnerability can be addressed as single item (below for 2.9.6)

 dcaegen2/services/mapper  com.fasterxml.jackson.core jackson-databind, 2.9.6

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

False Positive Classification Reasoning To be confirmed

In mapper, Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method. Thus we believe the reporting is a false positive.


 dcaegen2/services/mapper  org.springframework.dataspring-data-commons, 2.0.6.RELEASE 


Vulnerability report:

CVE-2018-1259

DCAEGEN2-769

Update to 2.0.8.RELEASE version

 dcaegen2/services/mapper  xercesxercesImpl,2.11.0-atlassian-01 

Vulnerability report:

CVE-2012-0881

DCAEGEN2-769

Update to 2.12.0 version

 dcaegen2/services/mapper  org.apache.httpcomponents

httpclient, 4.5.2

Vulnerability report:

SONATYPE-2017-0359

Sonatype CWE: 22

The Apache httpcomponents component  is vulnerable to Directory Traversal. The normalizePath() function in the URIBuilder class allows directory traversal characters such as ../. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure

DCAEGEN2-769

Update to 4.5.3 or later

 dcaegen2/services/mapper  org.springframework

spring-core, 5.0.3.RELEASE

Vulnerability report:

CVE-2018-1272

DCAEGEN2-769

Update to 5.0.5.RELEASE or later version

 dcaegen2/services/prh org.apache.tomcat.embed

tomcat-embed-core, 8.5.28

Vulnerability report:

CVE-2018-8014

DCAEGEN2-770

Update to 8.5.32 version
 dcaegen2/services/prh org.bouncycastle

bcprov-jdk15on, 1.59

Vulnerable artifacts:

Dependency org.bouncycastle:bcprov-jdk15on:jar:1.59 located at Module org.onap.dcaegen2.services.prh:prh-app-server:jar:1.0.0-SNAPSHOT

Vulnerability report:

CVE-2018-1000613

CVE-2018-1000180

DCAEGEN2-770

No alternate (unflagged) version available. To be assessed if this dependency can be removed or thread not applicable

 dcaegen2/services/prh com.fasterxml.jackson.core jackson-databind, 2.9.6

Vulnerable artifacts:

Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT

Vulnerability report:

SONATYPE-2017-0312

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.

DCAEGEN2-770

To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true

If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).



















  • No labels