Dublin SDNC Security/Vulnerability Report
- Amy Zwarico
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
|---|---|---|---|
sdnc/apps, sdnc/oam | ch.qos.logback | Most likely false positive, since this vulnerability only applies to remote socket connections, which do not apply (since we do not log to remote server). However, should be addressed anyway. | Tracked in issue SDNC-596: CVE-2017-5929 : vulnerability in logback versions < 1.2.0Closed |
sdnc/oam | com.fasterxml | Should be upgraded to jackson-databind version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/oam | com.fasterxml | Should be upgraded to jackson-databind version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.8.6 | Tracked in issue SDNC-597: Jackson-core versions prior to 2.8.6 to DoS attackClosed |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/apps | com.fasterxml.jackson.core | There is no non-vulnerable version, but there is a documented workaround. | Tracked in issue SDNC-599: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
sdnc/northbound | com.fasterxml.jackson.core | Fixed in version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/oam | com.fasterxml.jackson.core | There is no non-vulnerable version, but there is a documented workaround. | Tracked in issue SDNC-599: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
sdnc/apps | com.fasterxml.jackson.core | There is no non-vulnerable version, but there is a documented workaround. | Tracked in issue SDNC-599: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
sdnc/apps | com.fasterxml.jackson.datatype | Fixed in version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/northbound | com.fasterxml.jackson.datatype | Fixed in version 2.9.8 | Tracked in issue SDNC-598: Multiple CVEs : jackson-databind and jackson-datatype-jsr310 versions prior to 2.11.0Closed |
sdnc/apps, sdnc/northbound | com.google.guava | Fixed in version 23.6.1 | Tracked in issue SDNC-600: CVE-2018-10237 - Google Guava versions < 23.6.1Closed |
sdnc/oam | dom4j | Fixed in version 2.1.1 | Tracked in issue SDNC-651: CVE-2018-1000632 : dom4j < 2.1.1Closed |
sdnc/oam | javax.servlet | Fixed in version 1.2.3 | Tracked in issue SDNC-651: CVE-2018-1000632 : dom4j < 2.1.1Closed |
sdnc/northbound | javax.mail | Fixed in version 1.5.3 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-604 |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnn/oam | org.apache.karaf.shell | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnn/oam | org.apache.karaf.shell | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/oam | org.apache.logging.log4j | Fixed in version 2.8.2 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-608 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-610 |
sdnc/oam | org.codehaus.jackson | There is no non-vulnerable version, but there is a documented workaround. | Tracked in issueSDNC-599: CVE-2017-4995 - jackson-datatype has incomplete fixClosed |
sdnc/oam | org.hibernate | Upgrade to version 5.3.6.Final or above | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-611 |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.15.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.15.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.15.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.20.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.18.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.18.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/oam | org.springframework | Fixed in version 4.3.20.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-601 |
sdnc/oam | org.springframework.data | Fixed in version 1.13.11 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-612 |
sdnc/oam | org.springframework.data | Fixed in version 1.13.12 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-612 |
sdnc/oam | org.springframework.data | Fixed in version 1.13.10 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-612 |
sdnc/oam | org.webjars | Fixed in version 4.0.0 and above | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-613 |
sdnc/oam | org.webjars | Fixed in version 3.4.0 and above | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-613 |
sdnc/oam | org.webjars | Fixed in version 3.4.0 and above | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-613 |
sdnc/oam | org.webjars | Fixed in version 4.1.2 and above | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-613 |
sdnc/oam | org.webjars | Fixed in jQuery version 3.0.0 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-608 |
sdnc/oam | org.webjars | Fixed in jQuery version 3.0.0 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-608 |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-605 |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-605 |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-605 |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-605 |
sdnc/oam | bootstrap-table | Needs further research - problem description is poor, as usual with these (says to upgrade to version that does not have vulnerability without stating what version that might be) | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-605 |
sdnc/apps | handlebars | Workaround is to ensure "handlebars" (double braces - e.g {{ hello there }}) are inside single quotes (e.g. '{{hello there}}') | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-602 |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-608 |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-608 |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-608 |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-608 |
sdnc/apps | uikit | Appears to have been fixed in 2016, but unclear what version. This is a recurrent theme in SONATYPE vulnerabilities - the problem description generally says "upgrade to a version that does not have this vulnerability" without specifying that version - only a link to the change in GitHub, which does not tell you what version it applies to. | Tracked in issue https://lf-onap.atlassian.net/browse/SDNC-603 |