Casablanca Maintenance UUI Security/Vulnerability Report

Owned by Amy Zwarico
Feb 04, 2019
2 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Impact Analysis

Action

Repository

Group

Impact Analysis

Action

usecase-ui

com.fasterxml.jackson.core

False positive.

Analysis: This vulnerability is not exposed from the portal’s code, because

  1. The portal does not pass any untrusted data for deserialization, as there is XSS/XSRF validation enabled in the portal’s backend code.

  2. and the default typing (ObjectMapper.setDefaultTyping()) is not called as we use concrete java types.

  3. and we use Spring Security 4.2.3.

Not vulnerable in ONAP

usecase-ui

commons-httpclient

The recommendation is to use org.apache.httpcomponents. But we are not directly using the said package/class. It comes as a dependency.

False positive.

No Action.

Portal

moments

All available versions of moment.js are vulnerable. Upgrade is not an option.

Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted. See below

The moment package is vulnerable to Regular Expression Denial of Service (ReDoS). The monthsShortRegex(),monthsRegex(),weekdaysRegex(),weekdaysShortRegex(), and weekdaysMinRegex() functions in the moment.js, moment-with-locales.js, and regex.js files use a vulnerable regular expression while parsing the date input. A remote attacker can exploit this vulnerability by crafting a date input containing a very long sequence of repetitive characters which, when parsed, consumes available CPU resources and results in Denial Of Service.



Not vulnerable in ONAP

usecase-ui

angular

All available versions of moment.js are vulnerable. Upgrade is not an option.

Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted.

From our analysis the vulnerability cannot be exploited because the usecase-ui application follows the following design patterns:

  • Does not mix client and server templates

  • Does not use user input to generate templates dynamically

  • Does not run user input through $scope.$eval (or any other expression parsing functions)

Not vulnerable in ONAP



Portal

commons-beanutils

All available versions of common-beanutils are vulnerable. Upgrade is not an option.

Analysis: The portal code do not use classloader so it is not vulnerable in ONAP.

Not vulnerable in ONAP

Portal-SDK

org.apache.poi

Analysis: Not vulnerable as we do not use POI to read documents. We use only to generate XLS from our own data.

Not vulnerable in ONAP