Casablanca SDC Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action | Notes |
|---|---|---|---|---|
sdc-sdc-tosca | ||||
sdc-sdc-tosca | com.fasterxml.jackson.core | False positive the lib is part of the sdcTosca parser which is used as a library. the parser only runs on predefined objects and will not attempt to run on an object that was not validated. the parser is protected by the application using it and the information supplied is coming from the using application. There is no non-vulnerable version of this component. | No Action in Casablanca. | no version is available that fixes this issue. |
sdc-sdc-tosca | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc. | No Action in Casablanca. | |
sdc | ||||
sdc catalog | org.apache.lucene | False positive the dependency is coming from Elastic search.xercesImpl as such the vulnerability no effecting affecting the application. There is no non-vulnerable version of this component. | No Action for Casablanca | in Dublin, we plan to remove ES from the application so this will be removed. |
sdc onboarding | io.springfox | the dependency is part of swagger. we will try to fix it by upgrading the version used. the vulnerabilities are connected to cross site scripting. we were not able to identify the location of this issue based on our review the in CLM it is located in : openecomp-be/tools/swagger-ui/target/api-docs how ever not such thing exist in that swagger jar. as a mitigation, we will not package the swagger in the release artifact. | SDC-1713: fix security vilation SONATYPE-2016-0065Closed | |
sdc catalog + onboarding | org.codehaus.jackson | False positive, used inside the titan client all operations coming there have passed a set of logic and serialization before coming there. this is not exposed outside to users. No version with a fix is currently available. 1.9.2 is not directly referenced but comes from Titan DB. | No Action for Casablanca | |
sdc catalog + onboarding | com.fasterxml.jackson.core | False positive no version with a fix is currently available. sdc serialize objects based on existing class only. | No action in Casablanca. | |
sdc onboarding + catalog | org.beanshell | False positive The vulnerability exposes the application to remote code execution based on serializing objects with exactable code. all versions have vulnerabilities in them. waiting for a fix in future versions. sdc does nto use jave serilization for converting objects. | no action in Casablanca. Waiting for a stable release. | |
sdc catalog | io.netty | False positive used as part of the automation used in sdc. comes from the selenium-java dependency. | No action in Casablanca | will be upgraded next release |
sdc catalog + onboarding | io.netty | no information is provided in the vulneraability | No action in Casablanca | there is not enough information to provide an assessment. once more information is available will be reviewed again |
sdc catalog + onboarding | commons-beanutils | Exposes the application to remote code exaction by manipulating the class loader all versions have vulnerabilities in them. waiting for a fix in future versions. the issue is that the class loder can be manipulated to load addition class to execute code. can be mitigated by not allowing access to the machine where sdc is runing. | No action in Casablanca. Update the version of the dependency as soon as security issue fixed. | |
sdc catalog | org.bouncycastle | False positive came from selenium-server this is included and used in an automation project and does not actually deploy as part of SDC. | No action for Casablanca. | |
sdc catalog | xerces | False positive came from selenium-java this is included and used in an automation project and does not actually deploy as part of SDC. | No action for Casablanca. | |
sdc catalog | org.apache.poi | False positive Part of the sdctool used for migration and schema creation and is not part of the be logic. no DOS attack is possible against this. no newer version is available. | No action in Casablanca the dependency is no longer being actively developed. we will consider removing this in the future. | |
sdc catalog | swagger-ui | sdc has two swaggers one for external apis protected by basic authentication. the second for our internal apis and it is exposed, as the vulnerability is that the swagger ui is exposed to cross site scripting. mitigation we will close access to it in the release until it is handled. | No action for Casablanca | changing the use of the swagger requires a major change to the whole annotations we have this will not be done in Casablanca. |
sdc onboarding + catalog | org.testng | False positive this is a testing framework used in sdc and is not part of the deployment it is used for automation and unit test execution only. | No action for Casablanca | |
sdc onboarding + catalog | org.springframework | False positive, sdc does not serve static pages using spring. | No action for Casablanca | |
sdc catalog | org.mindrot | indirect referenced from titan and gremlin groovy, Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. Mitigation, sdc code does not directly use this. it is used internally in out DB driver. an attacker will find it hard to pass all the sdc logic to get to the driver and try to attack it. | No action for Casablanca | |
sdc catalog | org.elasticsearch | False positive, Elastic search Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. sdc does not configure secrets using api. | No action for Casablanca | sdc planes to remove elastic in the Dublin release which will fix this issue. |
sdc catalog | javax.mail | False positive. JavaMail is vulnerable to Information Exposure. the method that causes it is not used in sdc. | No action for Casablanca | will be remove next release |
sdc catalog + onboarding | jQuery | False positive. used as part of sdc automation only not part of the deployed code. comes from test ng | No action for Casablanca | next release we can try to upgrade the testng in the project |
sdc catalog | dom4j | False posotive comes with titan-core, no fix is available. not used directly in sdc. will be fixed once sdc moves from titan to jenus graph SDC does not store xml files in titan and as such this is a none issue as we are not using this capability and are not exposing it. | No action in Casablanca. | |
sdc catalog | com.jcraft | false positive. the vulnerability occurs on windows only. sdc is dockrised and uses alpin(linux based os). | No action in Casablanca. | |
sdc catalog | stipsan | this is dependency is used by swagger and as such is part of the project. there is not version without a vulnerability is available. | No action in Casablanca. | as a mitigation, we will disable access to the swagger. |
sdc catalog + onboarding | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc. | No action in Casablanca. | there is a none vulnerable version available will be addressed next release. |
sdc catalog | commons-fileupload | false positive. came from portal sdk. not used by sdc directly. in sdc we are not using the uploads file as part of the sdc. | No action in Casablanca. | |
sdc catalog + onboarding | handlebars | comes with swagger. exposes the application to cross site scripting. | No action in Casablanca. | may be fixed by upgrading swagger |
sdc catalog | org.apache.ant | comes as part of cglib dependency used in SDC. the method in question is not directly used in sdc. As a mitigation, this is part of our tools package this run on deployment and shuts down it is not always available. | No action in Casablanca. | |
sdc catalog | org.owasp.antisamy | false positive. came from portal sdk. not used by sdc directly. both issues are connected to cross site scripting and injections of html sdc does not use portal sdk in a way that can impact us. | No action in Casablanca. | |
sdc catalog | org.owasp.esapi | False positive. came from portal sdk. no used in sdc directly. | No action in Casablanca. | |
sdc catalog | org.seleniumhq.selenium | False positive used as part of the sdc ui automation. not deployed in production the vulnerability has no info in it | No action in Casablanca. | |
sdc catalog + onboarding | handlebars | is part of swagger used by the application. to mitigate this we will remove access to swagger in the release | No action in Casablanca. | |
sdc-titan-cassandra this repository is used in sdc as a dependency, it was forked from an open source project that is no longer maintained. these issues are not adressed in the repo. we adress them on the consumption of the dependency in sdc. | ||||
sdc-titan-cassandra | org.codehaus.jackson | Exposes theclienttoexactionofmalicecode by a user. sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Casablanca. move to JenoseGraph is being considered. | |
sdc-titan-cassandra | com.fasterxml.jackson.core | Exposes theclienttoexactionofmalicecode by a user. sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | com.fasterxml.jackson.core | sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | org.codehaus.groovy | False posotive Exposes the application to DOS attack and exactionofmalicioscodeby passing serialized objects. the client receives specific objects for serialization sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. to support geo-redundancy | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | commons-collections | sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | ch.qos.logback | False positive, sdc-titan-casndra is the driver usedbysdc to communicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | org.hibernate | We do not use security manager and as such is not vulnerable sdc-titan-Cassandra is the driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | io.netty | False positive netty is used inside the dbdriver and a testing framework that both do not read cookies. Used for testing and as a driver base as such they are not accepting requests andwillnotbeaffectbydos sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application. | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | org.apache.httpcomponents | False positive the client used for communication tothedbandthe vulnerability is not applicable. | No action in Casablanca. move to JenoseGraph is being considered | |
sdc-titan-cassandra | com.google.guava | addressed on consumption in sdc | No action in Casablanca. | |
sdc-titan-cassandra | dom4j | addressed on consumption in sdc | No action in Casablanca. | |
sdc-titan-cassandra | org.mindrot | addressed on consumption in sdc | No action in Casablanca. | |
sdc-workflow-designer | ||||
sdc-workflow-designer | com.fasterxml.jackson.core | False positive. No version with a fix is currently available. work flow json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable | No Action for Casablanca | |
sdc-workflow-designer | org.codehaus.jackson | False positive. No version with a fix is currently available. work flow uses json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable. | No Action for Casablanca | |
sdc-workflow-designer | commons-beanutils | Exposes the application to remote code exaction by manipulating the class loader all versions have vulnerabilities in them. waiting for a fix in future versions. Update the version of the dependency as soon as security issue fixed. mitigated by that you need access to the server class loder to use. | No action in Casablanca. | |
sdc-workflow-designer | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in workflow. | No action in Casablanca. | |
sdc-workflow-designer | org.springframework | False positive, we do not serve static pages using spring | No action in Casablanca. | |
dcae-ds while fixing the vulnerabilities an issue was identified in spring boot that does not allow us to upgrade to the latest version. as such, we had to roll back to the original version and with it, we received back a lot of security issues. as a mitigation, the only option is to disable DCAE_DS in case the user has security concerns regarding its vulnerabilities. this can be done by changing the helm charts to not start it. this will still allow the user to use sdc but without the monitoring studio. | ||||
sdc-dcae-d-ci | com.fasterxml.jackson.core | False positive this is part of the automation and is not deployed. | No action in Casablanca. | no version is available that fixes this issue. |
sdc-dcae-d-ci | com.google.guava | False positive this is part of the automation and is not deployed. | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | ch.qos.logback | False positive, we do not uselogbackto serialize information received from a socket. | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | com.fasterxml.jackson.core | False positive. No version with a fix is currently available. DCAE-DS uses json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable. | No action in Casablanca. | no version is available that fixes this issue. |
sdc-dcae-d-dt-be-main | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc. | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | commons-beanutils | Exposes the application to remote code exaction by manipulating the class loader all versions have vulnerabilities in them. waiting for a fix in future versions. Update the version of the dependency as soon as security issue fixed. mitigated by that you need access to the server class loader to use. | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | org.apache.tomcat.embed | False Positive Dcae-ds does not use tomcat it is just part of spring boot. | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | org.apache.tomcat.embed | False Positive Dcae-ds does not use tomcat it is just part of spring boot. | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | org.springframework | The | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | org.springframework | False positive, we do not use spring messaging and as such are not exposed to this issue. | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | org.springframework | false positive as we do not use spring to serve static pages. Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks The configuration causing this is not enabled in the application and as such we are not impacted | No action in Casablanca. | |
sdc-dcae-d-dt-be-main | org.springframework | the configuration causing this is not enabled in the application and as such we are not impacted False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux. | No action in Casablanca. | |
sdc-dcae-d-dt-be-property | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used. | No action in Casablanca. | |
sdc-dcae-d-fe | ch.qos.logback | False positive, we do not use logback to serialize information received from a socket. | No action in Casablanca. | |
sdc-dcae-d-fe | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overload the the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used. | No action in Casablanca. | |
sdc-dcae-d-fe | org.eclipse.jetty | this dependency exposes the application to HTTP Request Smuggling. there is not mitigation available. the dependency comes with spring boot. the latest versions include a bug that does not allow us to upgrade this. | No action in Casablanca. | |
sdc-dcae-d-fe | org.eclipse.jetty | The | No action in Casablanca. | |
sdc-dcae-d-fe | org.springframework | The | No action in Casablanca. | |
sdc-dcae-d-fe | org.springframework | False positive, we do not use spring messaging and as such are not exposed to this issue. | No action in Casablanca. | |
sdc-dcae-d-fe | org.springframework | false positive as we do not use spring to serve static pages. Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks the configuration causing this is not enabled in the application and as such we are not impacted | No action in Casablanca. | |
sdc-dcae-d-fe | org.springframework | the configuration causing this is not enabled in the application and as such we are not impacted False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux. | No action in Casablanca. | |
sdc-dcae-d-dt | angular | angular exposes the application to cross site scripting vulnerability. there is no fix available in any angular versions. | No action in Casablanca. | a UI library as far as i understand ui libraries were not part of the scan and only java artifacts were reviewed? |
sdc-dcae-d-dt | bootstrap | bootstrap exposes the application to cross site scripting vulnerability. there is no fix available in any bootstrap versions. | No action in Casablanca. | a UI library as far as i understand ui libraries were not part of the scan and only java artifacts were reviewed? |
sdc-dcae-d-dt | ch.qos.logback | False positive, we do not use logback to serialize information received from a socket. | No action in Casablanca. | |
sdc-dcae-d-dt | com.fasterxml.jackson.core | False positive. No version with a fix is currently available. DCAE-DS uses json marshaling to object and is not serializing java objects. as such the vulnerability is not applicable. | No action in Casablanca. | |
sdc-dcae-d-dt | com.google.guava | false positive. the guava exposes the application to serialization of objects with out validations. and will be able to overloadthe the class whichhavethis vulnerability AtomicDoubleArray CompoundOrdering are not used. | No action in Casablanca. | |
sdc-dcae-d-dt | jquery | jquery exposes the application to cross-site scripting vulnerability. | No action in Casablanca. | a UI library as far as i understand ui libraries were not part of the scan and only java artifacts were reviewed? |
sdc-dcae-d-dt | org.eclipse.jetty | this dependency exposes the application to HTTP Request Smuggling. there is no mitigation available. the dependency comes with spring boot. the latest versions include a bug that does not allow us to upgrade this. | No action in Casablanca. | |
sdc-dcae-d-dt | org.eclipse.jetty | The | No action in Casablanca. | |
sdc-dcae-d-dt | org.springframework | The | No action in Casablanca. | |
sdc-dcae-d-dt | org.springframework | False positive, we do not use spring messaging and as such are not exposed to this issue. | No action in Casablanca. | |
sdc-dcae-d-dt | org.springframework | false positive as we do not use spring to serve static pages. Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks the configuration causing this is not enabled in the application and as such we are not impacted | No action in Casablanca. | |
sdc-dcae-d-dt | org.springframework | the configuration causing this is not enabled in the application and as such we are not impacted False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux. | No action in Casablanca. | |