Dublin Portal Platform Security/Vulnerability Report

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

High-level mitigation plan:

Regarding known issues like “DOS, Remote Code Execution (RCE), CORS attack, HTTP request smuggling”, the Portal’s code is not exposing these vulnerabilities directly due to many layers of encapsulation by APIs, so these are most likely false positives reported by NexusIQ scan, however to be on safe side the mitigation plan is to deploy Portal platform in a secure environment e.g. in private network inside the company firewall.

RepositoryGroupImpact AnalysisAction
portal

com.fasterxml.jackson.core

False positive.

Analysis: This vulnerability is not exposed from the portal’s code, because

  1. The portal does not pass any untrusted data for deserialization, as there is XSS/XSRF validation enabled in the portal’s backend code.
  2. and the default typing (ObjectMapper.setDefaultTyping()) is not called as we use concrete java types.
  3. and we use Spring Security 4.2.3 as recommended in the nexus-iq report.


Spring version 4.2.3 will take care of this.

Comments from Nexus-IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x.


Not vulnerable in ONAP

portal

moments

All available versions of moment.js are vulnerable. Upgrade is not an option.

Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted. See below

CVE 185 information: The moment package is vulnerable to Regular Expression Denial of Service (ReDoS). The monthsShortRegex(),monthsRegex(),weekdaysRegex(),weekdaysShortRegex(), and weekdaysMinRegex() functions in the moment.js, moment-with-locales.js, and regex.js files use a vulnerable regular expression while parsing the date input. A remote attacker can exploit this vulnerability by crafting a date input containing a very long sequence of repetitive characters which, when parsed, consumes available CPU resources and results in Denial Of Service.   PORTAL-531 - Getting issue details... STATUS

upgrade to moment  2.11.2+
portal, portal-sdkorg.elasticsearch
Description from CVEElasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.Explanation

elasticsearch is vulnerable to Information Disclosure. The renderResponse() method in the RestClusterGetSettingsAction class fails to filter certain settings from the ClusterGetSettingsResponse object, and consequently exposes potentially sensitive information via the /_cluster/settings API endpoint. A remote authenticated attacker can exploit this vulnerability by sending a request to the affected cluster endpoint. This will result in the exposure of any sensitive information contained therein. See Jira ticket: PORTAL-532  PORTAL-532 - Getting issue details... STATUS

upgrade of Elasticsearch Alerting and Monitoring to versions after 6.4.1 or 5.6.12
portal, portal-sdk

angular


Analysis: Cannot upgrade angular as this will require changes on all the Portal pages.

From our analysis the vulnerability cannot be exploited because the portal application follows the below design recommendations provided by nexus-iq report.

Recommendation by nexus-iq for this vulnerability (SONATYPE-2016-0064): 

It's best to design your application in such a way that users cannot change client-side templates.

  • Do not mix client and server templates
  • Do not use user input to generate templates dynamically
  • Do not run user input through $scope.$eval (or any of the other expression parsing functions listed above)
  • Consider using {@link ng.directive:ngCsp CSP} (but don't rely only on CSP)

Not vulnerable in ONAP


portal, portal-sdk

angular-sanitize 1.5.0,

Angularjs

Explanation

AngularJS is vulnerable to Cross-Site Scripting (XSS). The $SanitizeProvider() function in the sanitize.js file doesn't account for user input within the xml:base attribute SVG anchors. A remote attacker can exploit this vulnerability by injecting malicious JavaScript into the xml:baseattribute, which results in script execution when rendered by the browser.

Detection

The application is vulnerable by using this component only when enableSvg is enabled, and when using Firefox. By default, the svgEnabled is set to false in 1.5+ versions.   PORTAL-533 - Getting issue details... STATUS

We will perform the upgrade along with angular.js.  in further versions by default, the svgEnabled is set to false, so upgrade should be considered to 1.5+.
portal, portal-sdkangular-ui-grid 3.0.7Explanation

The ui-grid package is susceptible to CSV Macro Injection. The exporter.js file quotes strings in double quotes when exporting to CSV files. An attacker could potentially exploit this behavior by injecting a macro command into a cell in a spreadsheet, having a victim export that spreadsheet as a CSV and loading it into a local copy of Microsoft Excel, at which point the macro can execute arbitrary commands against the victim's computer.

Advisory Deviation Notice: The Sonatype security research team discovered that the vulnerability is present from version 3.0.0-rc.1 onward, and that the attack can take place as described in the associated issue, despite quoting strings on export.

Not vulnerable in ONAP

We are not using any export feature from angular-ui-grid.

portalorg.webjars.bower 
Explanation

The AngularJS framework is vulnerable to Remote Code Execution (RCE) and Cross-Site Scripting (XSS). The ensureSafeAssignContext() function in parse.js processes malicious expressions that access the constructors. A remote attacker can exploit this vulnerability by crafting malicious expressions that, when processed, result in execution of arbitrary code.

Recommendation

Each version of Angular 1 up to, but not including 1.6, contained an expression sandbox, which reduced the surface area of the vulnerability but never removed it. In Angular 1.6 we removed this sandbox as developers kept relying upon it as a security feature even though it was always possible to access arbitrary JavaScript code if one could control the Angular templates or expressions of applications.

Control of the Angular templates makes applications vulnerable even if there was a completely secure sandbox:  PORTAL-533 - Getting issue details... STATUS

Should be the same comments as for angular.js. We will p

erform the upgrade along with angular.js.

portalcommons-beanutils

All available versions of common-beanutils are vulnerable. Upgrade is not an option.

Analysis: The portal code do not use classloader so it is not vulnerable in ONAP.

CVE CWE: 20
Description from CVE
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Not vulnerable in ONAP
portal-sdkorg.apache.poi

Analysis: Not vulnerable as we do not use POI to read documents. We use only to generate XLS from our own data.

CVE CWE:399:

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

PORTAL-446 - Getting issue details... STATUS

Not vulnerable in ONAP

portal,

portal-sdk

org.springframework

The impact of the springframework library is all over the project. So have to be very careful in upgrading the versions.

At least trying to resolve the multiple version use in Dublin - PORTAL-423 - Getting issue details... STATUS

Request exception

portal,

portal-sdk

io.netty : netty-handler : 4.0.56.Final

Not clear what is the issue based on the Nexus IQ report information.

  PORTAL-534 - Getting issue details... STATUS

Need to upgrade to version 4.1.10.final+

portal, portal-sdkcommons-fileupload

If not false positive, can be handled with the new version upgrade which do not have vulnerability.

PORTAL-443 - Getting issue details... STATUS


Explanation

Apache Commons FileUpload contains a resource leak which may lead to a Denial of Service (DoS) attack.

Target fix in Dublin release
portal-sdkxerces

There is no non vulnerable version of this package.

PORTAL-445 - Getting issue details... STATUS


Explanation

Apache Xerces2 is vulnerable to a Denial of Service (DoS) attack.

Request exception
portal-sdkbootstrapThere is no non vulnerable version of this package.Request exception

portal,

portal-sdk

org.bouncycastle

If not false positive, can be handled with the new version upgrade which do not have vulnerability.

PORTAL-444 - Getting issue details... STATUS

Explanation

Bouncy Castle is vulnerable to Remote Code Execution (RCE).


we will try to handle them in Dublin release based on the resource availability and priority
portalorg.codehaus.groovy

If not false positive, can be handled with the new version upgrade which do not have vulnerability.

PORTAL-447 - Getting issue details... STATUS

Explanation

Groovy is vulnerable to insecure deserialization leading to Remote Code Execution (RCE).


we will try to handle them in Dublin release based on the resource availability and priority
portal

org.eclipse.jetty

jetty-util

If not false positive, can be handled with the new version upgrade which do not have vulnerability.

PORTAL-448 - Getting issue details... STATUS

Explanation

Eclipse Jetty Server is vulnerable to HTTP request smuggling.


we will try to handle them in Dublin release based on the resource availability and priority;

Will upgrade to 9.2.14.v20151106: or will disable http1.1


portal

org.apache.tomcat.embed

There is no non vulnerable version of this component/package.

PORTAL-449 - Getting issue details... STATUS

Explanation

Apache Tomcat is vulnerable to a Cross-Origin attack due to the insecure default configuration of the CORS filter.


The configuration for CorsFilter needs to change. We will change the urlPattern in web.xml for CorsFilter from * to *onap*
portalorg.apache.cxf

False positive

We do not use the below code, which is vulnerable.

System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");

PORTAL-450 - Getting issue details... STATUS

Not Vulnerable
portalorg.hibernate

If not false positive, can be handled with the new version upgrade which do not have vulnerability.

PORTAL-441 - Getting issue details... STATUS

Explanation

The Hibernate Validator (HV) package is vulnerable to a privilege escalation vulnerability.


we will try to handle them in Dublin release based on the resource availability and priority

portal,

portal-sdk

com.mchange 

c3p0-0.9.5.2.jar The c3p0 component is vulnerable to XML eXternal Entity (XXE) attacks. PORTAL-535 - Getting issue details... STATUS

Will upgrade to 0.9.5.3. Dublin +
portalpostgresql-9.1-901-1.jdbc4.jar
Description from CVEA weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.Explanation

The postgresql package is vulnerable to Man-in-the-Middle (MitM) attacks. When using a non-default SSL Factory, the postgresql jdbc doesn't validate the hostname of SSL certificates. An attacker can potentially exploit this behavior to perform a MitM attack.   PORTAL-536 - Getting issue details... STATUS

Remove this lib. May not be used anymore.

portal,

portal-sdk

dom4j
Description from CVEdom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.Explanation

The dom4j package is vulnerable to XML Injection. The QName() function in the QName class file does not properly sanitize the QName input attribute value(s). A remote attacker can exploit this vulnerability by injecting an XML object that contains arbitrary code in the element and attribute names, hence leading to XML Injection. PORTAL-537 - Getting issue details... STATUS

Need to upgrade to version  2.1.1  

portal,

portal-sdk

org.apache.wicket

Description from CVE
The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.7 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.

  PORTAL-538 - Getting issue details... STATUS


Need to upgrade to Apache Wicket 6.25.0

portal,

portal-sdk

jquery 2.2.4
Explanation

The jQuery package is vulnerable to Cross-Site Scripting (XSS). The parseHTML() function in the parseHTML.jsjquery.js files allow JavaScript to be executed immediately when it's embedded within the event attributes. An attacker can exploit this vulnerability by injecting malicious JavaScript containing events handlers which, when rendered, results in the execution of arbitrary script.   PORTAL-539 - Getting issue details... STATUS

Need to upgrade to 3.2.0+
portal-sdkjQuery 1.4.2
Explanation

The jQuery package is vulnerable to Cross-Site Scripting (XSS). The parseHTML() function in the parseHTML.jsjquery.js files allow JavaScript to be executed immediately when it's embedded within the event attributes. An attacker can exploit this vulnerability by injecting malicious JavaScript containing events handlers which, when rendered, results in the execution of arbitrary script.   PORTAL-540 - Getting issue details... STATUS

Need to upgrade to  2.0.0

portal,

portal-sdk

org.webjars bootstrap
Description from CVEIn Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.Explanation

The bootstrap package is vulnerable to Cross-Site Scripting (XSS). The show() function in the tooltip.js file allows HTML and scripts in the data-container tooltip attribute values in the DOM elements without proper sanitization. This can be misused to cause XSS.   PORTAL-541 - Getting issue details... STATUS

Need to upgrade to 4.1.3

portal,

portal-sdk

org.owasp.esapi
Description from CVEThe authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.Explanation

An attacker can manipulate the cipher transformation (e.g., changing the cipher mode from CBC to OFB or padding scheme) to adverse effect.

Not vulnerable in ONAP

ESAPI symmetric crypto  is not being used in Portal.

portal,

portal-sdk

org.apache.zookeeper

zookeeper is being used in MUSIC. MUSIC team will be removing this in the next version and Portal will upgrade when it is released. Code changes will be required to integrate with the latest version.  PORTAL-576 - Getting issue details... STATUS

Need to upgrade to the latest MUSIC 3.2.x version and incorporate the changes in code. Will need resource help.

portal,

portal-sdk

org.owasp.antisamy

Description from CVEOWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.Explanation

AntiSamy is vulnerable to Cross-Site Scripting (XSS). The package uses an HTML serializer that doesn't take HTML5 entities into consideration, such as :(, and ). An attacker can exploit this to inject JavaScript into the context of the page.   PORTAL-542 - Getting issue details... STATUS

Need to upgrade to version 1.5.7+

portal org.thymeleaf
In XHTML environments, a similar issue could appear if XHTML escapes are used inside literals. When browsers are operating in XHTML mode (Content-Type: application/xhtml+xml), they will apply these XHTML escapes before processing the script, so these escapes could be used for closing the literal and even the <script> tag:
<script>
  var value = "This is a value&#x22;+[SOME_INJECTED_CODE]+&#x22;";
</script>

The most adequate way to avoid this and make JSON, JavaScript and CSS literal escapes safe to be used both in HTML and XHTML scenarios is to always escape not only /, but also the &. So the result of the above would be something like:  PORTAL-577 - Getting issue details... STATUS

Upgrading to latest version of spring-boot-starter-thymeleaf
portalorg.springframework.security.oauth

Spring Security Oauth2 is vulnerable to Remote Code Execution. By supplying a string such as ${T(java.lang.Runtime).getRuntime().exec(""ls"")} as the value for the scope authorization parameter,
Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint.


We are not vulnerable to this kind of attack because Portal does not act as an authorization server via @EnableAuthorizationServer decoration

Not vulnerable in ONAP.

Portal does not act as authorization server via @EnableAuthorizationServer decoration

portalorg.springframework.security

Spring Security is vulnerable to Privilege Escalation. The requiresSwitchUser() and requiresExitUser() methods of the SwitchUserFilter class return true for all URLs ending in the switch user path. A remote attacker can exploit this behavior by appending the switch user path to a URL to change the attacker's privilege level.


We do not use SwitchUserFilter. In-fact we have our own mechanism to authorize the user via DB configuration.

Not vulnerable in ONAP. 


spring-security-web is not used to authorize the users. 

portalorg.springframework.security

Insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance.

We do not use SecureRandomFactoryBean. 

Not vulnerable in ONAP. 


SecureRandomFactoryBean is not used in any random number generation.

portalorg.springframework.security

Does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint.

We use our own filtering to allow / disallow access to the URLs based on Restricted URL table.

Not vulnerable in ONAP.

spring-security-config is not used in for any URL restriction

portalorg.springframework.data

Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied.

The getPredicates() method of the QueryByExamplePredicateBuilder class does not properly escape wildcards in fields when processing the predicate options STARTING, ENDING, and CONTAINING.  PORTAL-605 - Getting issue details... STATUS


Need to upgrade spring-data-jpa to version  1.11.20.RELEASE

portalorg.springframework.data

Spring Data Commons is vulnerable to Remote Code Execution (RCE). The setPropertyValuefunction in the MapDataBinder class does not properly restrict SpEL expression evaluation.

By creating a nested path (i.e. foo.bar.foo.bar) using the PropertyPath constructor (which is invoked in other functions in the PropertyPath class) an attacker can cause the application to crash due to memory exhaustion.  PORTAL-606 - Getting issue details... STATUS

Need to upgrade to upgrade to 2.1.6-RELEASE.

portal

portal-sdk

org.springframework

Spring Framework is vulnerable to a Directory Traversal attack. The doInclude() method in ResourceServlet.class allows ../ (dot dot slash) in the resource path in the request URI. We are not vulnerable to this attack as we do not use ResourceServlet.

Allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. We are not vulnerable to this attack because we do not use MappingJackson2JsonView.

Spring WebMVC is vulnerable to Path Traversal when configured to serve static resources from a Windows file system. We are not vulnerable to this attack because portal is not meant to run in a windows environment.


Not vulnerable in ONAP as 

We do not use ResourceServlet.

We do not use MappingJackson2JsonView.

We do not run Portal in windows environment

portal 

portal-sdk

org.springframework

The Spring Framework is vulnerable to Denial of Service (DoS). The toResourceRegions() and parseRanges() methods in the HttpRange class process range requests with a large number of extensive ranges which can overlap causing additional resource consumption.

Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks. The HiddenHttpMethodFilterclass lets an attacker change the HTTP request method to TRACE.

Allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. We are not vulnerable to this attack because we do not use MappingJackson2JsonView.  PORTAL-607 - Getting issue details... STATUS

Need to upgrade to 4.3.23-RELEASE

portal

portal-sdk

org.springframework

The getMethods() method in the ReflectiveMethodResolver class, the canWrite method in the ReflectivePropertyAccessor class, and the filterSubscriptions() method in the DefaultSubscriptionRegistry class do not properly restrict SpEL expression evaluation.

The getValueInternal() method in the OperatorMatches class lacks a threshold at which to limit regular expression evaluation.   PORTAL-608 - Getting issue details... STATUS


Need to upgrade spring-webmvc to 4.3.23-RELEASE
portalorg.apache.tomcat.embed

The connectToServerRecursive and createSSLEngine methods in WsWebSocketContainer.javathat are used by the WebSockets client do not validate the hostname of SSL certificates.  PORTAL-609 - Getting issue details... STATUS

Need to upgrade spring-boot-starter-web from 1.4.2.RELEASE to 1.5.20.RELEASE

portal 

portal-sdk

org.apache.poi

 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295)

Apache POI is prone to denial of service(DoS) attacks as the UnhandledDataStructure method in UnhandledDataStructure.java allocates unbounded arbitrary amounts of memory while processing arrays in Channel Definition Format (CDF) and Compound File Binary Format (CFBF) documents causing OutOfMemoryError exception and destabilization of the whole Java Virtual Machine instance.

Apache POI is prone to a denial of service (DoS) vulnerability as the HSLFSlideShow class implementation does not properly handle certain PPT files. 


We use only to generate XLS from our own data and do not use POI to parse files.

Not vulnerable in ONAP.
portalorg.apache.cxf

Vulnerable to Regular Expression Denial of Service (ReDoS). The readLine()function in the AttachmentDeserializer class and get() function in the MessageContextImplclass do not limit the size of the attachment header and the ContentDisposition() function in the ContentDisposition class uses an improper regular expression to parse the content-disposition header.  PORTAL-610 - Getting issue details... STATUS

Need to upgrade to 3.2.6
portalorg.apache.cxf

Vulnerable to Regular Expression Denial of Service (ReDoS). The readLine()function in the AttachmentDeserializer class and get() function in the MessageContextImplclass do not limit the size of the attachment header and the ContentDisposition() function in the ContentDisposition class uses an improper regular expression to parse the content-disposition header.

When the handleMessage()method in the StaxInInterceptor class receives a request with Content-Type: text/htmlheader to a SOAP endpoint, it will generate an error using data from that request.  PORTAL-611 - Getting issue details... STATUS

CVE-2017-12624 can be fixed by upgrading cxf-core to 3.2.6. No known solution for CVE-2014-0109
portalognl

The Object-Graph Navigation Language (OGNL) is vulnerable to a Denial of Service (DoS) as it uses an improper implementation of the cache used to store method references. getGetMethod() and getSetMethod() in OgnlRuntime.java contain performance issues that may be leveraged to conduct DoS attacks.  PORTAL-612 - Getting issue details... STATUS

The dependency comes from spring-boot-starter-thymeleaf. Need to upgrade to a newer version

portal

portal-sdk

commons-codec

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values.   PORTAL-615 - Getting issue details... STATUS




portalcom.squareup.okhttp3

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. 

The getCandidate() method in the CacheStrategy$Factory class fails to accommodate for non-ASCII characters within the ETagheader.

We will not use consul in post dublin release.  PORTAL-613 - Getting issue details... STATUS

Remove usage of the parent dependency com.orbitz.consul
portalcom.alibaba

The fastjson package is vulnerable to Remote Code Execution. The package uses the default class loader for multiple classes, which does not check for the presence of malicious characters in the user input.


We will not use this post dublin release.  PORTAL-614 - Getting issue details... STATUS

Remove usage of fastjson