Dublin SDC Security/Vulnerability Report

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Impact Analysis

Action

Repository

Group

Impact Analysis

Action

sdc-sdc-tosca

com.fasterxml.jackson.core

False positive

the lib is part of the sdcTosca parser which is used as a library.

the parser only runs on predefined objects and will not attempt to run on an object that was not validated. the parser is protected by the application using it and the information supplied is coming from the using application.

There is no non-vulnerable version of this component.



No Action in Dublin.

SDC-2262: Upgrade sdc-parser jackson-databind versionClosed

sdc-sdc-tosca

com.google.guava

false positive.

the guava exposes the application to serialization of objects with out validations. and will be able to overload the

the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc.

No Action in Dublin.

sdc 

catalog

org.apache.lucene

False positive

the dependency is coming from Elastic search.xercesImpl

as such the vulnerability no effecting affecting the application.

There is no non-vulnerable version of this component.

No Action for Dublin

SDC-2265: Consider upgrade or remove LuceneClosed

sdc

onboarding

io.springfox

the dependency is part of swagger.

we will try to fix it by upgrading the version used.



the vulnerabilities are connected to cross site scripting.



we were not able to identify the location of this issue based on our review the in CLM it is located in :

openecomp-be/tools/swagger-ui/target/api-docs how ever not such thing exist in that swagger jar.

as a mitigation, we will not package the swagger in the release artifact.


SDC-2261: Upgrade Swagger-UI in openecomp-beClosed

sdc

catalog + onboarding

org.codehaus.jackson

False positive,

used inside the titan client all operations coming there have passed a set of logic and serialization before coming there. this is not exposed outside to users.

No version with a fix is currently available.

1.9.2 is not directly referenced but comes from Titan DB.



No Action for Dublin





sdc

catalog + onboarding

com.fasterxml.jackson.core

False positive

no version with a fix is currently available.

sdc serialize objects based on existing class only.

No action in Dublin.



sdc

onboarding +

catalog

org.beanshell

False positive

CVE-2016-2510 the vulnerability exposes the application to remote code execution based on serializing objects with exactable code.

all versions have vulnerabilities in them. waiting for a fix in future versions.

sdc does nto use jave serilization for converting objects.





Waiting for a stable release.

SDC-2266: Consider upgrade or remove BeanShell 2.0b6 Closed

sdc

catalog

io.netty

False positive

used as part of the automation used in sdc.

comes from the selenium-java dependency.

No action in Dublin

sdc

catalog + onboarding

io.netty

SONATYPE-2017-0356: The software does not validate, or incorrectly validates, a certificate.

No action in Dublin

SDC-2263: Upgrade netty / netty-handler dependencies Closed

sdc

catalog + onboarding

commons-beanutils

CVE-2014-0114 expose the application to remote code exaction by manipulating the class loader

all versions have vulnerabilities in them. waiting for a fix in future versions.

the issue is that the class loder can be manipulated to load addition class to execute code. can be mitigated by not allowing access to the machine where sdc is runing.

No action in Dublin.

Update the version of the dependency as soon as security issue fixed.

SDC-2269: Beanutils - upgrade to 1.9.2 should be consideredClosed

sdc

catalog

org.bouncycastle

False positive

came from selenium-server

this is included and used in an automation project and does not actually deploy as part of SDC.

No action for Dublin.





sdc

catalog

xerces

False positive

came from selenium-java

this is included and used in an automation project and does not actually deploy as part of SDC.

No action for Dublin.



sdc

catalog

org.apache.poi

False positive

Part of the sdctool used for migration and schema creation and is not part of the be logic.

no DOS attack is possible against this.

no newer version is available.

No action in Dublin



the dependency is no longer being actively developed.

we will consider removing this in the future.

SDC-2270: Consider upgrade or remove com.springsource.org.apache.poi Closed

sdc

catalog

swagger-ui

sdc has two swaggers one for external apis protected by basic authentication.

the second for our internal apis and it is exposed, as



the vulnerability is that the swagger ui is exposed to cross site scripting.



mitigation

we will close access to it in the release until it is handled.

No action for Dublin

changing the use of the swagger requires a major change to the whole annotations we have this will not be done in Dublin.

SDC-2261: Upgrade Swagger-UI in openecomp-beClosed

sdc

onboarding + catalog

org.testng

False positive

this is a testing framework used in sdc and is not part of the deployment it is used for automation and unit test execution only.

No action for Dublin

sdc

onboarding + catalog

org.springframework

False positive,

sdc does not serve static pages using spring.

No action for Dublin

sdc

catalog

org.mindrot

indirect referenced from titan and gremlin groovy,

Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.



Mitigation,

sdc code does not directly use this. it is used internally in out DB driver. an attacker will find it hard to pass all the sdc logic to get to the driver and try to attack it.

No action for Dublin

sdc

catalog

org.elasticsearch

False positive,

Elastic search Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API.

sdc does not configure secrets using api.

No action for Dublin

Removing elastic in the next release which will fix this issue.

SDC-2267: Remove elasticsearch & LuceneClosed

sdc

catalog

javax.mail

False positive.

JavaMail is vulnerable to Information Exposure.

the method that causes it is not used in sdc.

No action for Dublin, will be remove next release

sdc

catalog + onboarding

jQuery

False positive.

used as part of sdc automation only not part of the deployed code.

comes from test ng

No action for Dublin

next release we can try to upgrade the testing in the project

sdc

catalog

dom4j

False positive

comes with titan-core, no fix is available.

not used directly in sdc.

will be fixed once sdc moves from titan to jenus graph

SDC does not store xml files in titan and as such this is a none issue as we are not using this capability and are not exposing it.

No action in Dublin.

sdc

catalog

com.jcraft

false positive.

the vulnerability occurs on windows only. sdc is dockrised and uses alpin(linux based os).

No action in Dublin.

sdc

catalog

stipsan/uikit

this is dependency is used by swagger and as such is part of the project.

there is not version without a vulnerability is available.

No action in Dublin.

as a mitigation, we will disable access to the swagger.

SDC-2261: Upgrade Swagger-UI in openecomp-beClosed

sdc

catalog + onboarding

com.google.guava

false positive.

the guava exposes the application to serialization of objects with out validations. and will be able to overload the

the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc.

No action in Dublin.

there is a no vulnerable version available will be addressed next release.

sdc

catalog

commons-fileupload

false positive.

came from portal sdk. not used by sdc directly.

in sdc we are not using the uploads file as part of the sdc.

No action in Dublin.

PORTAL-528: Vulnerability Updates in Casablanca maintenance releaseClosed

sdc

catalog + onboarding

handlebars

comes with swagger. exposes the application to cross site scripting.

No action in Dublin.

may be fixed by upgrading swagger

SDC-2261: Upgrade Swagger-UI in openecomp-beClosed

sdc

catalog

org.apache.ant

comes as part of cglib dependency used in SDC.

the method in question is not directly used in sdc.

As a mitigation, this is part of our tools package this run on deployment and shuts down it is not always available.

No action in Dublin.

sdc

catalog

org.owasp.antisamy

false positive.

came from portal sdk. not used by sdc directly.

both issues are connected to cross site scripting and injections of html sdc does not use portal sdk in a way that can impact us.

No action in Dublin.

PORTAL-542: antisamyClosed

sdc

catalog

org.owasp.esapi

False positive.

came from portal sdk. no used in sdc directly.







No action in Dublin.

PORTAL-528: Vulnerability Updates in Casablanca maintenance releaseClosed

sdc

catalog

org.seleniumhq.selenium

False positive

used as part of the sdc ui automation. not deployed in production

the vulnerability has no info in it

No action in Dublin.

sdc

catalog + onboarding

handlebars

is part of swagger used by the application.

to mitigate this we will remove access to swagger in the release

No action in Dublin.

sdc-titan-cassandra this repository is used in sdc as a dependency, it was forked from an open source project that is no longer maintained. these issues are not adressed in the repo. we adress them on the consumption of the dependency in sdc.







sdc-titan-cassandra

org.codehaus.jackson

CVE-2017-7525 expose theclienttoexactionofmalicecode by a user.



sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application.



No action in Dublin.



move to JenoseGraph in El Alto

sdc-titan-cassandra

com.fasterxml.jackson.core

CVE-2017-7525 expose theclienttoexactionofmalicecode by a user.



sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application.



No action in Dublin



move to JenoseGraph in El Alto

sdc-titan-cassandra

com.fasterxml.jackson.core

sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application.

No action in Dublin



move to JenoseGraph in El Alto

sdc-titan-cassandra

org.codehaus.groovy

Falseposotive

CVE-2015-3253 expose the application to DOS attack and exactionofmalicioscodeby passing serialized objects. the client receives specific objects for serialization

sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application.

to support geo-redundancy

No action in Dublin.



move to JenoseGraph in El Alto

sdc-titan-cassandra

commons-collections

sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application.

No action in Dublin.

move to JenoseGraph in El Alto

sdc-titan-cassandra

ch.qos.logback

False positive,

CVE-2017-5929 sdc-titan-casndra is the driver usedbysdc to communicate with the graph representation stored in Cassandra. the driver used is internal to the application.



No action in Dublin.  



move to JenoseGraph in El Alto

sdc-titan-cassandra

org.hibernate

CVE-2017-7536wenotusesecurity manager and as such is not vulnerable

sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application.

No action in Dublin.  



move to JenoseGraph in El Alto

sdc-titan-cassandra

io.netty

False positive

CVE-2015-2156 nettyisusedinsidethedbdriverandatestingframeworkthatbothdo not read cookies.

CVE-2016-4970 used for testing and as a driver base as such they are not accepting requests andwillnotbeaffectbydos



sdc-titan-casndraisthe driver usedbysdctocommunicate with the graph representation stored in Cassandra. the driver used is internal to the application.



No action in Dublin.  



move to JenoseGraph in El Alto

sdc-titan-cassandra

org.apache.httpcomponents

False positive

the client used for communication tothedbandthe vulnerability is not applicable.



No action in Dublin.



move to JenoseGraph in El Alto

sdc-titan-cassandra

com.google.guava

addressed on consumption in sdc

No action in Dublin.

sdc-titan-cassandra

dom4j

addressed on consumption in sdc

No action in Dublin.

sdc-titan-cassandra

org.mindrot

addressed on consumption in sdc

No action in Dublin.

sdc-titan-cassandra

libthrift

addressed on consumption in sdc

No action in Dublin;

Move to JenoseGraph in El Alto or:

SDC-2264: Upgrade libthrift to 0.12.0Closed

sdc-workflow-designer 

com.fasterxml.jackson.core

False positive.

No version with a fix is currently available.



work flow json marshaling to object and is not serializing java objects.

as such the vulnerability is not applicable

No Action for Dublin





sdc-workflow-designer

org.codehaus.jackson

False positive.

No version with a fix is currently available.



work flow uses json marshaling to object and is not serializing java objects.

as such the vulnerability is not applicable.

No Action for Dublin

sdc-workflow-designer

commons-beanutils

CVE-2014-0114 expose the application to remote code exaction by manipulating the class loader

all versions have vulnerabilities in them. waiting for a fix in future versions.

Update the version of the dependency as soon as security issue fixed.

mitigated

by that you need access to the server class loder to use.

No action in Dublin.

SDC-2269: Beanutils - upgrade to 1.9.2 should be consideredClosed

sdc-workflow-designer

com.google.guava

false positive.

the guava exposes the application to serialization of objects with out validations. and will be able to overload the

the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in workflow.

No action in Dublin.  

sdc-workflow-designer

org.springframework

False positive,

we do not serve static pages using spring

No action in Dublin.  

dcae-ds

while fixing the vulnerabilities an issue was identified in spring boot that does not allow us to upgrade to the latest version.

as such, we had to roll back to the original version and with it, we received back a lot of security issues. as a mitigation, the only option is to disable DCAE_DS in case the user has security concerns regarding its vulnerabilities.

this can be done by changing the helm charts to not start it. this will still allow the user to use sdc but without the monitoring studio.









sdc-dcae-d-ci 

com.fasterxml.jackson.core

False positive

this is part of the automation and is not deployed.

No action in Dublin.

no version is available that fixes this issue.

sdc-dcae-d-ci

com.google.guava

False positive

this is part of the automation and is not deployed.

No action in Dublin.

sdc-dcae-d-dt-be-main

ch.qos.logback

False positive,

we do not uselogbackto serialize information received from a socket.

No action in Dublin.

sdc-dcae-d-dt-be-main

com.fasterxml.jackson.core

False positive.

No version with a fix is currently available.



DCAE-DS uses json marshaling to object and is not serializing java objects.

as such the vulnerability is not applicable.

No action in Dublin.

no version is available that fixes this issue.

sdc-dcae-d-dt-be-main

com.google.guava

false positive.

the guava exposes the application to serialization of objects with out validations. and will be able to overload the

the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used in sdc.

No action in Dublin.

sdc-dcae-d-dt-be-main

commons-beanutils

CVE-2014-0114 expose the application to remote code exaction by manipulating the class loader

all versions have vulnerabilities in them. waiting for a fix in future versions.

Update the version of the dependency as soon as security issue fixed.

mitigated by that you need access to the server class loader to use.

No action in Dublin.

SDC-2269: Beanutils - upgrade to 1.9.2 should be consideredClosed

sdc-dcae-d-dt-be-main

org.apache.tomcat.embed

False Positive

Dcae-ds does not use tomcat it is just part of spring boot.

No action in Dublin.

sdc-dcae-d-dt-be-main

org.apache.tomcat.embed

False Positive

Dcae-ds does not use tomcat it is just part of spring boot.



No action in Dublin.

sdc-dcae-d-dt-be-main

org.springframework

The spring-core and spring-web modules of Spring Framework are vulnerable to a multipart content pollution vulnerability.

No action in Dublin.

sdc-dcae-d-dt-be-main

org.springframework

False positive,

we do not use spring messaging and as such are not exposed to this issue.

No action in Dublin.

sdc-dcae-d-dt-be-main

org.springframework

CVE-2018-15756: is false positive as we do not use spring to serve static pages.

CVE-2018-11039: Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks

CVE-2018-11040: he configuration causing this is not enabled in the application and as such we are not impacted

No action in Dublin.

sdc-dcae-d-dt-be-main

org.springframework

CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted

CVE-2018-1271: False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux.

No action in Dublin.

sdc-dcae-d-dt-be-property

com.google.guava

false positive.

the guava exposes the application to serialization of objects with out validations. and will be able to overload the

the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used.

No action in Dublin.

sdc-dcae-d-fe

ch.qos.logback

False positive,

we do not use logback to serialize information received from a socket.

No action in Dublin.

sdc-dcae-d-fe

com.google.guava

false positive.

the guava exposes the application to serialization of objects with out validations. and will be able to overload the

the class which have this vulnerability AtomicDoubleArray CompoundOrdering are not used.

No action in Dublin.

sdc-dcae-d-fe

org.eclipse.jetty

this dependency exposes the application to HTTP Request Smuggling.

there is not mitigation available.

the dependency comes with spring boot.

the latest versions include a bug that does not allow us to upgrade this.

No action in Dublin.

https://lf-onap.atlassian.net/browse/SDC-2268

sdc-dcae-d-fe

org.eclipse.jetty

The jetty package is vulnerable to Information Disclosure via InvalidPathException message

No action in Dublin.

sdc-dcae-d-fe

org.springframework

The spring-core and spring-web modules of Spring Framework are vulnerable to a multipart content pollution vulnerability.

No action in Dublin.

sdc-dcae-d-fe

org.springframework

False positive,

we do not use spring messaging and as such are not exposed to this issue.

No action in Dublin.

sdc-dcae-d-fe

org.springframework

CVE-2018-15756: is false positive as we do not use spring to serve static pages.

CVE-2018-11039: Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks

CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted

No action in Dublin.

sdc-dcae-d-fe

org.springframework

CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted

CVE-2018-1271: False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux.

No action in Dublin.

sdc-dcae-d-dt

angular

angular exposes the application to cross site scripting vulnerability.



there is no fix available in any angular versions.

No action in Dublin.

sdc-dcae-d-dt

bootstrap 3.3.4

bootstrap exposes the application to cross site scripting vulnerability.



there is no fix available in any bootstrap versions.

No action in Dublin.

sdc-dcae-d-dt

ch.qos.logback

False positive,

we do not use logback to serialize information received from a socket.

No action in Dublin.

sdc-dcae-d-dt

com.fasterxml.jackson.core

False positive.

No version with a fix is currently available.



DCAE-DS uses json marshaling to object and is not serializing java objects.

as such the vulnerability is not applicable.

No action in Dublin.

sdc-dcae-d-dt

com.google.guava

false positive.

the guava exposes the application to serialization of objects with out validations. and will be able to overloadthe

the class whichhavethis vulnerability AtomicDoubleArray CompoundOrdering are not used.

No action in Dublin.

sdc-dcae-d-dt

jquery

jquery exposes the application to cross-site scripting vulnerability.





No action in Dublin.

sdc-dcae-d-dt

org.eclipse.jetty

this dependency exposes the application to HTTP Request Smuggling.

there is no mitigation available.

the dependency comes with spring boot.

the latest versions include a bug that does not allow us to upgrade this.

No action in Dublin.

https://lf-onap.atlassian.net/browse/SDC-2268

sdc-dcae-d-dt

org.eclipse.jetty

The jetty package is vulnerable to Information Disclosure via InvalidPathException message

No action in Dublin.

sdc-dcae-d-dt

org.springframework

The spring-core and spring-web modules of Spring Framework are vulnerable to a multipart content pollution vulnerability.

No action in Dublin.

sdc-dcae-d-dt

org.springframework

False positive,

we do not use spring messaging and as such are not exposed to this issue.

No action in Dublin.

sdc-dcae-d-dt

org.springframework

CVE-2018-15756: is false positive as we do not use spring to serve static pages.

CVE-2018-11039: Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks

CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted

No action in Dublin.

sdc-dcae-d-dt

org.springframework

CVE-2018-11040: the configuration causing this is not enabled in the application and as such we are not impacted

CVE-2018-1271: False positive the issue is vulnerable when service pages from a windows file system. this is not an issue as we are running inside a docker which os is Linux.

No action in Dublin.