Dublin AAI Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
| com.fasterxml.jackson.core | False Positive - The application is vulnerable by using this component, when default typing is enabled. Message Router does not use the default typing, so using the jackson-databind will not make message router vulnerable. | |
| com.fasterxml.jackson.org | AAI should attempt to upgrade this component. | AAI-2431: [schema-service] updgrade jackson-dataformat to eliminate nexusiq vulnerabilityClosed |
| org.apache.tomcat.embed | A dependency of Spring boot 1.5.20.RELEASE, which is the most current version. This is a false positive since the ONAP demo is not intended to run on Windows; for those clients who choose to deploy these services on Windows we recommend setting | |
| org.springframework | A dependency of an older version of the aai-common libraries. | |
| commons-codec | A child dependency of Janusgraph. Plan is to upgrade to newer janusgraph, but even the latest version uses this component for which there is no non-vulnerable version. AAI doesn't call the methods described in the CVE directly. | |
| org.eclipse.jetty | False positive. Our services do not allow listing of directory contents. | |
| org.eclipse.jetty | A dependency of Spring boot 1.5.20.RELEASE, which is the most current version. This is a false positive since the ONAP demo is not intended to run on Windows; for those clients who choose to deploy these services on Windows we recommend to not use DefaultServlet or ResourceHandler providing directory content listings. | |
| org.eclipse.jetty | False positive. Our services do not allow listing of directory contents. | |
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply. | AAI-900 -Security: CVE-2017-7525 jackson-mapper-asl 1.9.2CLOSED |
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply. | |
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the search service is not using either approach, so the possibility of the exploit vector does not apply. | |
| com.fasterxml.jackson.core | False Positive Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. esr-server doesn't invoke this method, esr-server use new Gson().fromJson(String json, Obj.class) and new Gson().toJson(obj) to deserialization and serialization. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization In esr-server, Gson is used to deserialization and serialization: | |
| org.apache.activemq | Issue is a false positive. This vulnerability is dependent on XalanXPathEvaluator.java using an insecure or absent document parser. AAI is not using this class. | |
| org.apache.activemq | Users should make sure the environment is secure to prevent possible MITM attacks between AAI and other ONAP services in the k8 cluster | AAI-2442: Upgrade activemq dependencies to newer versionClosed |
| org.apache.activemq | Issue is a false positive. This vulnerability is dependent on XalanXPathEvaluator.java using an insecure or absent document parser. AAI is not using this class. | |
| org.webjars.npm bootstrap | False positive. The data-target attribute in bootstrap.js interprets encoded HTML entities as standard HTML entities when data-target is based on user supplied input. data-target attribute is not used | Helpdesk ticket 54851 |
| org.webjars.npm bootstrap | False positive. The | |
| com.google.guava | This dependency is a child dependency of Cassandra which is required for the graphdb; newer versions of Cassandra do not upgrade to a non-vulnerable version of this depedency. Guava is vulnerable to Denial of Service (DoS) when untrusted input is supplied to the | |
aai/data-router | com.google.guava | This dependency is a child dependency of Cassandra which is required for the graphdb; newer versions of Cassandra do not upgrade to a non-vulnerable version of this depedency. Guava is vulnerable to Denial of Service (DoS) when untrusted input is supplied to the | |
aai/search-data-service | com.google.guava | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | |
aai/search-data-service | com.googlecode.libphonenumber | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. AAI is not vulnerable to this issue in the dependency, it does not use the component in the way described. | |
aai/search-data-service | javax.mail | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. AAI is not vulnerable to this issue in the dependency, it does not use the component in the way described. | |
aai/search-data-service | org.springframework.security | Search data service is not vulnerable to the exploit vectors because it does not perform the functions outlined in the report. switchUserProcessingFilter is not configured | AAI-1895: [search-data-service] Update springboot to 1.5.18 in search-data-serviceClosed |
aai/esr-server | com.smoketurner.dropwizard | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |
| com.rabbitmq | False positive. Event client in ONAP only uses DMaaP so the rabbitmq dependencies are never used. | AAI-1905: [event-client] Security - com.rabbitmq has vulnerabilitiesClosed |
| org.apache.tomcat | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | |
| org.apache.tomcat | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | |
| org.apache.tomcat | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | |
| bootstrap | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | |
| jquery | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | AAI-2347: [esr-gui] security: Update jquery from 1.11.0Closed |
| org.apache.libthrift | False positive. This version of ilbthrift is a dependency of titan/cassandra and janus/cassandra. Users should take note of this if they decide to enable SASL, but we do not ship it with the demo. | |
| org.apache.zookeeper | False positive for ONAP as deployed. AAI is deployed with Janus on Cassandra, if users implement champ and choose hbase they should take steps to disable client-initiated renegotiation https://github.com/apache/zookeeper/pull/710 | |
| ch.qos.logback | EELF dependency, upgrade to 1.0.1-oss | AAI-2240: [aai-common] security: upgrade eelf to 1.0.1-ossClosed AAI-2251: [spike] security: upgrade eelf to 1.0.1-ossClosed AAI-2345: [spike] security: Update to aai-common 1.4.2 once releasedClosed |
aai/router-core | org.eclipse.jetty | Tried to upgrade jetty; at the time in the nexusiq report this looked clean but evidently it's not. In any event, this is a false positive, the application doesn't use this component in the application server; these utils are only used locally. | |
aai/sparky-be | commons-fileupload | Part of portal sdk 2.5.0 | |
aai/sparky-be | org.owasp.antisamy | Part of portal sdk 2.5.0 | |
aai/sparky-be | org.owasp.esapi | Part of portal sdk 2.5.0 | |
| commons-fileupload | Imported by ring; investigating whether there is an upgrade available. Chameleon could be vulnerable to denial of service exploit and implementors should secure the system to prevent it. | |
aai/gallifrey | io.netty | Consider upgrading. From CT Paterson: "The netty dependency is pulled in from RethinkDB. We're currently testing an update to gallifrey that will move to Cassandra as a storage backend and drop RethinkDB support. This should resolve the issue." | |
aai/esr-server | com.fasterxml.jackson.datatype | ESR is vulnerable. Implementors should secure the system to prevent DDOS attacks. | |
aai/esr-server | org.eclipse.jetty | ESR is vulnerable. Implementors should secure the system to prevent DDOS attacks. | |
aai/router-core | ch.qos.logback | Update to latest aai-common | |
aai/champ | io.netty | AAI is not configured with hbase in the demo so this is not applicable. Operators who use champ and configure hbase should use care on this item. | |
| org.apache.tomcat.embed | Update to spring-boot 1.5.20 is the right path, but we cannot since 1.5.20 doesn't support 2-way TLS the way it is done in ONAP | |
| org.apache.camel | False positive. createFileName() is never used | |
| org.apache.cxf |
| |
| org.springframework.security | Upgrade spring-security | |
| com.squareup.okhttp3 | Disputed vulnerability, but users should make sure that MITM attacks are mitigated in their systems |