Dublin SDC Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
sdc-sdc-tosca | com.fasterxml.jackson.core | False positive the lib is part of the sdcTosca parser which is used as a library. the parser only runs on predefined objects and will not attempt to run on an object that was not validated. the parser is protected by the application using it and the information supplied is coming from the using application. There is no non-vulnerable version of this component. | No Action in Dublin. |
sdc-sdc-tosca | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc. | No Action in Dublin. |
sdc catalog | org.apache.lucene | False positive the dependency is coming from Elastic search.xercesImpl as such the vulnerability no effecting affecting the application. There is no non-vulnerable version of this component. | No Action for Dublin |
sdc onboarding | io.springfox | the dependency is part of swagger. we will try to fix it by upgrading the version used. the vulnerabilities are connected to cross site scripting. we were not able to identify the location of this issue based on our review the in CLM it is located in : openecomp-be/tools/swagger-ui/target/api-docs how ever not such thing exist in that swagger jar. as a mitigation, we will not package the swagger in the release artifact. | |
sdc catalog + onboarding | org.codehaus.jackson | False positive, used inside the titan client all operations coming there have passed a set of logic and serialization before coming there. this is not exposed outside to users. No version with a fix is currently available. 1.9.2 is not directly referenced but comes from Titan DB. | No Action for Dublin |
sdc catalog + onboarding | com.fasterxml.jackson.core | False positive no version with a fix is currently available. sdc serialize objects based on existing class only. | No action in Dublin. |
sdc onboarding + catalog | org.beanshell | False positive CVE-2016-2510 the vulnerability exposes the application to remote code execution based on serializing objects with exactable code. all versions have vulnerabilities in them. waiting for a fix in future versions. sdc does nto use jave serilization for converting objects. | Waiting for a stable release. |
sdc catalog | io.netty | False positive used as part of the automation used in sdc. comes from the selenium-java dependency. | No action in Dublin |
sdc catalog + onboarding | io.netty | SONATYPE-2017-0356: The software does not validate, or incorrectly validates, a certificate. | No action in Dublin |
sdc catalog + onboarding | commons-beanutils | CVE-2014-0114 expose the application to remote code exaction by manipulating the class loader all versions have vulnerabilities in them. waiting for a fix in future versions. the issue is that the class loder can be manipulated to load addition class to execute code. can be mitigated by not allowing access to the machine where sdc is runing. | No action in Dublin. Update the version of the dependency as soon as security issue fixed. SDC-2269: Beanutils - upgrade to 1.9.2 should be consideredClosed |
sdc catalog | org.bouncycastle | False positive came from selenium-server this is included and used in an automation project and does not actually deploy as part of SDC. | No action for Dublin. |
sdc catalog | xerces | False positive came from selenium-java this is included and used in an automation project and does not actually deploy as part of SDC. | No action for Dublin. |
sdc catalog | org.apache.poi | False positive Part of the sdctool used for migration and schema creation and is not part of the be logic. no DOS attack is possible against this. no newer version is available. | No action in Dublin the dependency is no longer being actively developed. we will consider removing this in the future. SDC-2270: Consider upgrade or remove com.springsource.org.apache.poi Closed |
sdc catalog | swagger-ui | sdc has two swaggers one for external apis protected by basic authentication. the second for our internal apis and it is exposed, as the vulnerability is that the swagger ui is exposed to cross site scripting. mitigation we will close access to it in the release until it is handled. | No action for Dublin changing the use of the swagger requires a major change to the whole annotations we have this will not be done in Dublin. |
sdc onboarding + catalog | org.testng | False positive this is a testing framework used in sdc and is not part of the deployment it is used for automation and unit test execution only. | No action for Dublin |
sdc onboarding + catalog | org.springframework | False positive, sdc does not serve static pages using spring. | No action for Dublin |
sdc catalog | org.mindrot | indirect referenced from titan and gremlin groovy, Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. Mitigation, sdc code does not directly use this. it is used internally in out DB driver. an attacker will find it hard to pass all the sdc logic to get to the driver and try to attack it. | No action for Dublin |
sdc catalog | org.elasticsearch | False positive, Elastic search Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. sdc does not configure secrets using api. | No action for Dublin Removing elastic in the next release which will fix this issue. |
sdc catalog | javax.mail | False positive. JavaMail is vulnerable to Information Exposure. the method that causes it is not used in sdc. | No action for Dublin, will be remove next release |
sdc catalog + onboarding | jQuery | False positive. used as part of sdc automation only not part of the deployed code. comes from test ng | No action for Dublin next release we can try to upgrade the testing in the project |
sdc catalog | dom4j | False positive comes with titan-core, no fix is available. not used directly in sdc. will be fixed once sdc moves from titan to jenus graph SDC does not store xml files in titan and as such this is a none issue as we are not using this capability and are not exposing it. | No action in Dublin. |
sdc catalog | com.jcraft | false positive. the vulnerability occurs on windows only. sdc is dockrised and uses alpin(linux based os). | No action in Dublin. |
sdc catalog | stipsan/uikit | this is dependency is used by swagger and as such is part of the project. there is not version without a vulnerability is available. | No action in Dublin. as a mitigation, we will disable access to the swagger. |
sdc catalog + onboarding | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc. | No action in Dublin. there is a no vulnerable version available will be addressed next release. |
sdc catalog | commons-fileupload | false positive. came from portal sdk. not used by sdc directly. in sdc we are not using the uploads file as part of the sdc. | No action in Dublin. PORTAL-528: Vulnerability Updates in Casablanca maintenance releaseClosed |
sdc catalog + onboarding | handlebars | comes with swagger. exposes the application to cross site scripting. | No action in Dublin. may be fixed by upgrading swagger |
sdc catalog | org.apache.ant | comes as part of cglib dependency used in SDC. the method in question is not directly used in sdc. As a mitigation, this is part of our tools package this run on deployment and shuts down it is not always available. | No action in Dublin. |
sdc catalog | org.owasp.antisamy | false positive. came from portal sdk. not used by sdc directly. both issues are connected to cross site scripting and injections of html sdc does not use portal sdk in a way that can impact us. | No action in Dublin. |
sdc catalog | org.owasp.esapi | False positive. came from portal sdk. no used in sdc directly. | No action in Dublin. PORTAL-528: Vulnerability Updates in Casablanca maintenance releaseClosed |
sdc catalog | org.seleniumhq.selenium | False positive used as part of the sdc ui automation. not deployed in production the vulnerability has no info in it | No action in Dublin. |
sdc catalog + onboarding | handlebars | is part of swagger used by the application. to mitigate this we will remove access to swagger in the release | No action in Dublin. |
sdc-titan-cassandra this repository is used in sdc as a dependency, it was forked from an open source project that is no longer maintained. these issues are not adressed in the repo. we adress them on the consumption of the dependency in sdc. | |||
sdc-titan-cassandra | org.codehaus.jackson | CVE-2017-7525 expose theclienttoexactionofmalicecode by a user. sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | com.fasterxml.jackson.core | CVE-2017-7525 expose theclienttoexactionofmalicecode by a user. sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | com.fasterxml.jackson.core | sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | org.codehaus.groovy | Falseposotive CVE-2015-3253 expose the application to DOS attack and exactionofmalicioscodeby passing serialized objects. the client receives specific objects for serialization sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. to support geo-redundancy | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | commons-collections | sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | ch.qos.logback | False positive, CVE-2017-5929 sdc-titan-casndra is the driver usedbysdc to communicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | org.hibernate | CVE-2017-7536wenotusesecurity manager and as such is not vulnerable sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | io.netty | False positive CVE-2015-2156 nettyisusedinsidethedbdriverandatestingframeworkthatbothdo not read cookies. CVE-2016-4970 used for testing and as a driver base as such they are not accepting requests andwillnotbeaffectbydos sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | org.apache.httpcomponents | False positive the client used for communication tothedbandthe vulnerability is not applicable. | No action in Dublin. move to JenoseGraph in El Alto |
sdc-titan-cassandra | com.google.guava | addressed on consumption in sdc | No action in Dublin. |
sdc-titan-cassandra | dom4j | addressed on consumption in sdc | No action in Dublin. |
sdc-titan-cassandra | org.mindrot | addressed on consumption in sdc | No action in Dublin. |
sdc-titan-cassandra | libthrift | addressed on consumption in sdc | No action in Dublin; Move to JenoseGraph in El Alto or: |
sdc-workflow-designer | com.fasterxml.jackson.core | False positive. No version with a fix is currently available. work flow json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable | No Action for Dublin |
sdc-workflow-designer | org.codehaus.jackson | False positive. No version with a fix is currently available. work flow uses json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable. | No Action for Dublin |
sdc-workflow-designer | commons-beanutils | CVE-2014-0114 expose the application to remote code exaction by manipulating the class loader all versions have vulnerabilities in them. waiting for a fix in future versions. Update the version of the dependency as soon as security issue fixed. mitigated by that you need access to the server class loder to use. | No action in Dublin. SDC-2269: Beanutils - upgrade to 1.9.2 should be consideredClosed |
sdc-workflow-designer | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in workflow. | No action in Dublin. |
sdc-workflow-designer | org.springframework | False positive, we do not serve static pages using spring | No action in Dublin. |
dcae-ds while fixing the vulnerabilities an issue was identified in spring boot that does not allow us to upgrade to the latest version. as such, we had to roll back to the original version and with it, we received back a lot of security issues. as a mitigation, the only option is to disable DCAE_DS in case the user has security concerns regarding its vulnerabilities. this can be done by changing the helm charts to not start it. this will still allow the user to use sdc but without the monitoring studio. | |||
sdc-dcae-d-ci | com.fasterxml.jackson.core | False positive this is part of the automation and is not deployed. | No action in Dublin. no version is available that fixes this issue. |
sdc-dcae-d-ci | com.google.guava | False positive this is part of the automation and is not deployed. | No action in Dublin. |
sdc-dcae-d-dt-be-main | ch.qos.logback | False positive, we do not uselogbackto serialize information received from a socket. | No action in Dublin. |
sdc-dcae-d-dt-be-main | com.fasterxml.jackson.core | False positive. No version with a fix is currently available. DCAE-DS uses json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable. | No action in Dublin. no version is available that fixes this issue. |
sdc-dcae-d-dt-be-main | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc. | No action in Dublin. |
sdc-dcae-d-dt-be-main | commons-beanutils | CVE-2014-0114 expose the application to remote code exaction by manipulating the class loader all versions have vulnerabilities in them. waiting for a fix in future versions. Update the version of the dependency as soon as security issue fixed. mitigated by that you need access to the server class loader to use. | No action in Dublin. SDC-2269: Beanutils - upgrade to 1.9.2 should be consideredClosed |
sdc-dcae-d-dt-be-main | org.apache.tomcat.embed | False Positive Dcae-ds does not use tomcat it is just part of spring boot. | No action in Dublin. |
sdc-dcae-d-dt-be-main | org.apache.tomcat.embed | False Positive Dcae-ds does not use tomcat it is just part of spring boot. | No action in Dublin. |
sdc-dcae-d-dt-be-main | org.springframework | The | No action in Dublin. |
sdc-dcae-d-dt-be-main | org.springframework | False positive, we do not use spring messaging and as such are not exposed to this issue. | No action in Dublin. |
sdc-dcae-d-dt-be-main | org.springframework | CVE-2018-15756: is false positive as we do not use spring to serve static pages. CVE-2018-11039: Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks CVE-2018-11040: he configuration causing this is not enabled in the application and as such we are not impacted | No action in Dublin. |
sdc-dcae-d-dt-be-main | org.springframework | CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted CVE-2018-1271: False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux. | No action in Dublin. |
sdc-dcae-d-dt-be-property | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used. | No action in Dublin. |
sdc-dcae-d-fe | ch.qos.logback | False positive, we do not use logback to serialize information received from a socket. | No action in Dublin. |
sdc-dcae-d-fe | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used. | No action in Dublin. |
sdc-dcae-d-fe | org.eclipse.jetty | this dependency exposes the application to HTTP Request Smuggling. there is not mitigation available. the dependency comes with spring boot. the latest versions include a bug that does not allow us to upgrade this. | No action in Dublin. |
sdc-dcae-d-fe | org.eclipse.jetty | The | No action in Dublin. |
sdc-dcae-d-fe | org.springframework | The | No action in Dublin. |
sdc-dcae-d-fe | org.springframework | False positive, we do not use spring messaging and as such are not exposed to this issue. | No action in Dublin. |
sdc-dcae-d-fe | org.springframework | CVE-2018-15756: is false positive as we do not use spring to serve static pages. CVE-2018-11039: Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted | No action in Dublin. |
sdc-dcae-d-fe | org.springframework | CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted CVE-2018-1271: False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux. | No action in Dublin. |
sdc-dcae-d-dt | angular | angular exposes the application to cross site scripting vulnerability. there is no fix available in any angular versions. | No action in Dublin. |
sdc-dcae-d-dt | bootstrap 3.3.4 | bootstrap exposes the application to cross site scripting vulnerability. there is no fix available in any bootstrap versions. | No action in Dublin. |
sdc-dcae-d-dt | ch.qos.logback | False positive, we do not use logback to serialize information received from a socket. | No action in Dublin. |
sdc-dcae-d-dt | com.fasterxml.jackson.core | False positive. No version with a fix is currently available. DCAE-DS uses json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable. | No action in Dublin. |
sdc-dcae-d-dt | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overloadthe the class whichhavethis vulnerability AtomicDoubleArray CompoundOrdering are not used. | No action in Dublin. |
sdc-dcae-d-dt | jquery | jquery exposes the application to cross-site scripting vulnerability. | No action in Dublin. |
sdc-dcae-d-dt | org.eclipse.jetty | this dependency exposes the application to HTTP Request Smuggling. there is no mitigation available. the dependency comes with spring boot. the latest versions include a bug that does not allow us to upgrade this. | No action in Dublin. |
sdc-dcae-d-dt | org.eclipse.jetty | The | No action in Dublin. |
sdc-dcae-d-dt | org.springframework | The | No action in Dublin. |
sdc-dcae-d-dt | org.springframework | False positive, we do not use spring messaging and as such are not exposed to this issue. | No action in Dublin. |
sdc-dcae-d-dt | org.springframework | CVE-2018-15756: is false positive as we do not use spring to serve static pages. CVE-2018-11039: Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted | No action in Dublin. |
sdc-dcae-d-dt | org.springframework | CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted CVE-2018-1271: False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux. | No action in Dublin. |