Dublin CCSDK Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
ccsdk/apps | ch.qos.logback | FALSE POSITIVE. The vulnerability refers to classes in logback that are used for remote logging, which does not apply to our usage. | Tracked in issue CCSDK-967: CVE-2017-5929 - upgrade to use logback version 1.2.0Closed |
ccsdk/distribution, | ch.qos.logback | FALSE POSITIVE. The vulnerability refers to classes in logback that are used for remote logging, which does not apply to our usage. | Tracked in issue CCSDK-967: CVE-2017-5929 - upgrade to use logback version 1.2.0Closed |
ccsdk/distribution, ccsdk/features | com.fasterxml.jackson.core | Need to upgrade to version 2.7.7 or greater | Tracked in issue CCSDK-991: Upgrade to spring-core 2.8.6 or higherClosed |
ccsdk/distribution, ccsdk/features | com.fasterxml.jackson.core | Need to upgrade to version 2.8.6 or greater | Tracked in issue CCSDK-991: Upgrade to spring-core 2.8.6 or higherClosed |
ccsdk/apps, ccsdk/cds, ccsdk/dashboard | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/features | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/sli/northbound | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/apps, ccsdk/cds | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exist | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/plugins | com.fasterxml.jackson.core | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/features | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/parent | com.fasterxml.jackson.core | No non-vulnerable version exists | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/distribution, ccsdk/features | com.fasterxml.jackson.core | No non-vulnerable version of Jackson exists | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/parent | com.fasterxml.jackson.datatype | No non-vulnerable version of Jackson exists | Tracked in issue CCSDK-970: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
ccsdk/sli/northbound | com.google.guava | Need to upgrade to version 23.6.1 or greater | Tracked in issue CCSDK-972: CVE-2018-10237 - Google Guava versions < 23.6.1Closed |
ccsdk/parent | com.google.guava | Need to upgrade to version 23.6.1 or greater | Tracked in issue CCSDK-972: CVE-2018-10237 - Google Guava versions < 23.6.1Closed |
ccsdk/dashboard | com.google.guava | Need to upgrade to version 23.6.1 or greater | Tracked in issue CCSDK-972: CVE-2018-10237 - Google Guava versions < 23.6.1Closed |
ccsdk/distribution, ccsdk/features | com.google.guava | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps | com.h2database | FALSE POSITIVE - code is only used in jUnit testing, thus is not exposed during runtime | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-973 |
ccsdk/cds | com.h2database | FALSE POSITIVE - code is only used in jUnit testing, thus is not exposed during runtime | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-973 |
ccsdk/distribution | com.h2database | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | com.mchange | Inherited from ONAP Portal project library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-535 |
ccsdk/distribution, ccsdk/sli/adaptors | com.sun.mail | Need to upgrade to version 1.5.3 or greater | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-986 |
ccsdk/dashboard | commons-beanutils | Inherited from ONAP Portal project library | FALSE POSITIVE - Portal library does not use vulnerable functionality |
ccsdk/distribution, ccsdk/features | commons-beanutils | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/features | commons-beanutils | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/northbound | commons-codec | Library is not used directly in ONAP, but is inherited from upstream springboot. There is no fix yet, but looks like this was revived today - see https://issues.apache.org/jira/browse/CODEC-134 | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1232 |
ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core | commons-codec | Library is not used directly in ONAP, but is inherited from upstream springboot. There is no fix yet, but looks like this was revived today - see https://issues.apache.org/jira/browse/CODEC-134 | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1232 |
ccsdk/dashboard | commons-codec | Inherited from ONAP Portal project library | Must be addressed in Portal project |
ccsdk/distribution, ccsdk/sli/plugins | commons-collections | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | commons-fileupload | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | commons-fileupload | Inherited from ONAP Portal project library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-443 |
ccsdk/apps, ccsdk/distribution, ccsdk/dashboard, ccsdk/sli/plugins | dom4j | Library is not used directly in ONAP, but is inherited from upstream springboot and OpenDaylight. Need to upgrade to version 2.1.1 or higher | Tracked with issue https://lf-onap.atlassian.net/browse/CCSDK-974 |
ccsdk/distribution | io.netty | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | javax.mail | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | javax.servlet | Fixed in version 1.2.3 | Tracked with issue https://lf-onap.atlassian.net/browse/CCSDK-1267 |
ccsdk/distribution | net.sf.ehcache | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.activemq | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/cds | org.apache.commons | Fixed in version 1.18 | Tracked with issue https://lf-onap.atlassian.net/browse/CCSDK-1238 |
ccsdk/cds | org.apache.commons | Fixed in version 1.16 | Tracked with issue https://lf-onap.atlassian.net/browse/CCSDK-1238 |
ccsdk/distribution | org.apache.felix | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors | org.apache.httpcomponents | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/parent | org.apache.karaf | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/parent | org.apache.karaf.features | Dependent on OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.jaas | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.jaas | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.jaas | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.karaf.kar | Dependent on OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps, ccsdk/cds, ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/core, ccsdk/sli/northbound, ccsdk/sli/plugins | org.apache.karaf.shell | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.karaf.shell | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.karaf.webconsole | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/features | org.apache.lucene | Fixed in version 7.0.0-cdh6.0.0 | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1087 |
ccsdk/distribution | org.apache.myfaces.core | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | org.apache.poi | Fixed in version 3.17 | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1268 |
ccsdk/features | org.apache.shiro | FALSE POSITIVE - this vulnerability applies to behavior on the shiro server. We use shiro only as a client. | No action necessary |
ccsdk/dashboard | org.apache.wicket | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-538 |
ccsdk/distribution | org.apache.servicemix.bundles | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.shiro | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.apache.thrift | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps | org.apache.tomcat.embed | FALSE POSITIVE: CVE only impacts embedded-tomcat running in Windows, which does not impact us since our containers run on Alpine. | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1237 Note: this is not a problem we currently need to address, but we want to track as a reminder in case there is any need to run ONAP native on Windows. |
ccsdk/cds | org.apache.tomcat.embed | FALSE POSITIVE : CVE only impacts embedded-tomcat running in Windows, which does not impact us since our containers run on Alpine. | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1237 Note: this is not a problem we currently need to address, but we want to track as a reminder in case there is any need to run ONAP native on Windows. |
ccsdk/dashboard | org.bouncycastle | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-444 |
ccsdk/sli/plugins | org.eclipse.jetty | Fixed in version 9.4.12 | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1285 |
ccsdk/distribution | org.eclipse.jetty.aggregate | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution, ccsdk/features | org.elasticsearch | Fixed in version 5.0.0-alpha5 | Tracked in issuehttps://lf-onap.atlassian.net/browse/CCSDK-1088 |
ccsdk/dashboard | org.hibernate | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-441 |
ccsdk/distribution | org.hibernate | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.infinispan | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.jboss.narayana.osgi | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.jgroups | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/parent | org.opendaylight.odlparent | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.ops4j.pax.tipi | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.ops4j.pax.web | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | org.owasp.antisamy | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-542 |
ccsdk/dashboard | org.owasp.esapi | Inherited from ONAP Portal library | See R4 Portal Platform Security/Vulnerability - Full Content for current status |
ccsdk/distribution | org.postgresql | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/distribution | org.postgresql | FALSE POSITIVE: | No action necessary |
ccsdk/cds | org.python | There has been no update to this artifact since 2017. Need to find a replacement. | |
ccsdk/parent | org.springframework | Need to upgrade to version 4.3.15 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-988 |
ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/plugins | org.springframework | Need to upgrade to version 4.3.15 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-988 |
ccsdk/distribution, ccsdk/features, ccsdk/sli/adaptors, ccsdk/sli/plugins | org.springframework | Need to upgrade to version 4.3.17 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-988 |
ccsdk/parent | org.springframework | Need to upgrade to version 4.3.18 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-983 |
ccsdk/distribution, ccsdk/features | org.springframework | Need to upgrade to version 4.3.15 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-983 |
ccsdk/distribution, ccsdk/features | org.springframework | Need to upgrade to version 4.3.18 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-983 |
ccsdk/apps | org.springframework | Need to upgrade to version 4.3.20 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-983 |
ccsdk/apps | org.springframework | Need to upgrade to version 4.3.18 or higher | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-983 |
ccsdk/cds | org.springframework.data | Fixed in version 2.1.6.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/CCSDK-1239 |
ccsdk/cds | org.springframework.security | Fixed in version 5.1.5.RELEASE | |
ccsdk/apps, ccsdk/cds | org.springframework.security | FALSE POSITIVE - only applies if using Switch User Processing filter, which we do not use | No action necessary |
ccsdk/dashboard | org.webjars | Inherited from ONAP Portal library | See R4 Portal Platform Security/Vulnerability - Full Content for current status |
ccsdk/dashboard | org.webjars | Inherited from ONAP Portal library | Must be addressed in ONAP Portal project |
ccsdk/dashboard | xerces | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-445 |
ccsdk/distribution | xerces | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | angular | Inherited from ONAP Portal library | FALSE POSITIVE per ONAP Portal team |
ccsdk/dashboard | angular-sanitize | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-533 |
ccsdk/dashboard | angular-grid | Inherited from ONAP Portal library | See Dublin Portal Security/Vulnerability Report for current status |
ccsdk/dashboard | angularjs | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-533 |
ccsdk/distribution | bootstrap | There is no non-vulnerable version | Tracked in issuehttps://lf-onap.atlassian.net/browse/CCSDK-985 |
ccsdk/dashboard | bootstrap | Inherited from ONAP Portal library | See Dublin Portal Security/Vulnerability Report for current status |
ccsdk/distribution | handlebars | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/dashboard | jQuery | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-540 |
ccsdk/distribution | jQuery | Inherited from OpenDaylight | Must be fixed in upstream OpenDaylight |
ccsdk/apps | jQuery | Inherited from swagger-ui | Must be fixed in upstream swagger-ui |
ccsdk/dashboard | jQuery | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-540 |
ccsdk/dashboard | moment | Inherited from ONAP Portal library | Tracked in issue https://lf-onap.atlassian.net/browse/PORTAL-531 |