Dublin Portal Platform Security/Vulnerability Report
This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
High-level mitigation plan:
Regarding known issues like “DOS, Remote Code Execution (RCE), CORS attack, HTTP request smuggling”, the Portal’s code is not exposing these vulnerabilities directly due to many layers of encapsulation by APIs, so these are most likely false positives reported by NexusIQ scan, however to be on safe side the mitigation plan is to deploy Portal platform in a secure environment e.g. in private network inside the company firewall.
Repository | Group | Impact Analysis | Action |
---|---|---|---|
portal | com.fasterxml.jackson.core | False positive. Analysis: This vulnerability is not exposed from the portal’s code, because
Spring version 4.2.3 will take care of this. Comments from Nexus-IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. | Not vulnerable in ONAP |
portal | moments | All available versions of moment.js are vulnerable. Upgrade is not an option. Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted. See below CVE 185 information: The moment package is vulnerable to Regular Expression Denial of Service (ReDoS). The monthsShortRegex(),monthsRegex(),weekdaysRegex(),weekdaysShortRegex(), and weekdaysMinRegex() functions in the moment.js, moment-with-locales.js, and regex.js files use a vulnerable regular expression while parsing the date input. A remote attacker can exploit this vulnerability by crafting a date input containing a very long sequence of repetitive characters which, when parsed, consumes available CPU resources and results in Denial Of Service. - PORTAL-531Getting issue details... STATUS | upgrade to moment 2.11.2+ |
portal, portal-sdk | org.elasticsearch | Description from CVEElasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.Explanation
| upgrade of Elasticsearch Alerting and Monitoring to versions after 6.4.1 or 5.6.12 |
portal, portal-sdk | angular | Analysis: Cannot upgrade angular as this will require changes on all the Portal pages. From our analysis the vulnerability cannot be exploited because the portal application follows the below design recommendations provided by nexus-iq report. Recommendation by nexus-iq for this vulnerability (SONATYPE-2016-0064): It's best to design your application in such a way that users cannot change client-side templates.
| Not vulnerable in ONAP |
portal, portal-sdk | angular-sanitize 1.5.0, Angularjs | Explanation AngularJS is vulnerable to Cross-Site Scripting (XSS). The The application is vulnerable by using this component only when | We will perform the upgrade along with angular.js. in further versions by default, the svgEnabled is set to false, so upgrade should be considered to 1.5+. |
portal, portal-sdk | angular-ui-grid 3.0.7 | Explanation The ui-grid package is susceptible to CSV Macro Injection. The Advisory Deviation Notice: The Sonatype security research team discovered that the vulnerability is present from version 3.0.0-rc.1 onward, and that the attack can take place as described in the associated issue, despite quoting strings on export. | Not vulnerable in ONAP We are not using any export feature from angular-ui-grid. |
portal | org.webjars.bower | Explanation The AngularJS framework is vulnerable to Remote Code Execution (RCE) and Cross-Site Scripting (XSS). The Recommendation
| Should be the same comments as for angular.js. We will p erform the upgrade along with angular.js. |
portal | commons-beanutils | All available versions of common-beanutils are vulnerable. Upgrade is not an option. Analysis: The portal code do not use classloader so it is not vulnerable in ONAP. CVE CWE: 20 | Not vulnerable in ONAP |
portal-sdk | org.apache.poi | Analysis: Not vulnerable as we do not use POI to read documents. We use only to generate XLS from our own data. CVE CWE:399: Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295). | Not vulnerable in ONAP |
portal, portal-sdk | org.springframework | Request exception | |
portal, portal-sdk | io.netty : netty-handler : 4.0.56.Final | Need to upgrade to version 4.1.10.final+ | |
portal, portal-sdk | commons-fileupload | Target fix in Dublin release | |
portal-sdk | xerces | Request exception | |
portal-sdk | bootstrap | There is no non vulnerable version of this package. | Request exception |
portal, portal-sdk | org.bouncycastle | we will try to handle them in Dublin release based on the resource availability and priority | |
portal | org.codehaus.groovy | we will try to handle them in Dublin release based on the resource availability and priority | |
portal | org.eclipse.jetty jetty-util | we will try to handle them in Dublin release based on the resource availability and priority; Will upgrade to 9.2.14.v20151106: or will disable http1.1 | |
portal | org.apache.tomcat.embed | The configuration for CorsFilter needs to change. We will change the urlPattern in web.xml for CorsFilter from * to *onap* | |
portal | org.apache.cxf | False positive We do not use the below code, which is vulnerable. System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); | Not Vulnerable |
portal | org.hibernate | we will try to handle them in Dublin release based on the resource availability and priority | |
portal, portal-sdk | com.mchange | Will upgrade to 0.9.5.3. Dublin + | |
portal | postgresql-9.1-901-1.jdbc4.jar | Description from CVEA weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.Explanation The | Remove this lib. May not be used anymore. |
portal, portal-sdk | dom4j | Description from CVEdom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.Explanation The | Need to upgrade to version 2.1.1 |
portal, portal-sdk | org.apache.wicket | Description from CVE | Need to upgrade to Apache Wicket 6.25.0 |
portal, portal-sdk | jquery 2.2.4 | Explanation The | Need to upgrade to 3.2.0+ |
portal-sdk | jQuery 1.4.2 | Explanation The | Need to upgrade to 2.0.0 |
portal, portal-sdk | org.webjars bootstrap | Description from CVEIn Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.Explanation The | Need to upgrade to 4.1.3 |
portal, portal-sdk | org.owasp.esapi | Description from CVEThe authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.Explanation An attacker can manipulate the cipher transformation (e.g., changing the cipher mode from CBC to OFB or padding scheme) to adverse effect. | Not vulnerable in ONAP ESAPI symmetric crypto is not being used in Portal. |
portal, portal-sdk | org.apache.zookeeper | Need to upgrade to the latest MUSIC 3.2.x version and incorporate the changes in code. Will need resource help. | |
portal, portal-sdk | org.owasp.antisamy | Description from CVEOWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.Explanation AntiSamy is vulnerable to Cross-Site Scripting (XSS). The package uses an HTML serializer that doesn't take HTML5 entities into consideration, such as | Need to upgrade to version 1.5.7+ |
portal | org.thymeleaf | In XHTML environments, a similar issue could appear if XHTML escapes are used inside literals. When browsers are operating in XHTML mode ( Content-Type: application/xhtml+xml ), they will apply these XHTML escapes before processing the script, so these escapes could be used for closing the literal and even the <script> tag:<script> var value = "This is a value"+[SOME_INJECTED_CODE]+""; </script> The most adequate way to avoid this and make JSON, JavaScript and CSS literal escapes safe to be used both in HTML and XHTML scenarios is to always escape not only | Upgrading to latest version of spring-boot-starter-thymeleaf |
portal | org.springframework.security.oauth | Spring Security Oauth2 is vulnerable to Remote Code Execution. By supplying a string such as ${T(java.lang.Runtime).getRuntime().exec(""ls"")} as the value for the scope authorization parameter, We are not vulnerable to this kind of attack because Portal does not act as an authorization server via | Not vulnerable in ONAP. Portal does not act as authorization server via |
portal | org.springframework.security | Spring Security is vulnerable to Privilege Escalation. The requiresSwitchUser() and requiresExitUser() methods of the SwitchUserFilter class return true for all URLs ending in the switch user path. A remote attacker can exploit this behavior by appending the switch user path to a URL to change the attacker's privilege level. We do not use SwitchUserFilter. In-fact we have our own mechanism to authorize the user via DB configuration. | Not vulnerable in ONAP. spring-security-web is not used to authorize the users. |
portal | org.springframework.security | Insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. We do not use SecureRandomFactoryBean. | Not vulnerable in ONAP. SecureRandomFactoryBean is not used in any random number generation. |
portal | org.springframework.security | Does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. We use our own filtering to allow / disallow access to the URLs based on Restricted URL table. | Not vulnerable in ONAP. spring-security-config is not used in for any URL restriction |
portal | org.springframework.data | Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied. The | Need to upgrade spring-data-jpa to version 1.11.20.RELEASE |
portal | org.springframework.data | Spring Data Commons is vulnerable to Remote Code Execution (RCE). The By creating a nested path (i.e. | Need to upgrade to upgrade to 2.1.6-RELEASE. |
portal portal-sdk | org.springframework | Spring Framework is vulnerable to a Directory Traversal attack. The Allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. We are not vulnerable to this attack because we do not use MappingJackson2JsonView. Spring WebMVC is vulnerable to Path Traversal when configured to serve static resources from a Windows file system. We are not vulnerable to this attack because portal is not meant to run in a windows environment. | Not vulnerable in ONAP as We do not use ResourceServlet. We do not use MappingJackson2JsonView. We do not run Portal in windows environment |
portal portal-sdk | org.springframework | The Spring Framework is vulnerable to Denial of Service (DoS). The Spring Framework is vulnerable to Cross-Site Tracing (XST) attacks. The Allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browser requests. We are not vulnerable to this attack because we do not use MappingJackson2JsonView. - PORTAL-607Getting issue details... STATUS | Need to upgrade to 4.3.23-RELEASE |
portal portal-sdk | org.springframework | The The | Need to upgrade spring-webmvc to 4.3.23-RELEASE |
portal | org.apache.tomcat.embed | Need to upgrade spring-boot-starter-web from 1.4.2.RELEASE to 1.5.20.RELEASE | |
portal portal-sdk | org.apache.poi | 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295) Apache POI is prone to denial of service(DoS) attacks as the Apache POI is prone to a denial of service (DoS) vulnerability as the We use only to generate XLS from our own data and do not use POI to parse files. | Not vulnerable in ONAP. |
portal | org.apache.cxf | Vulnerable to Regular Expression Denial of Service (ReDoS). The | Need to upgrade to 3.2.6 |
portal | org.apache.cxf | Vulnerable to Regular Expression Denial of Service (ReDoS). The When the | CVE-2017-12624 can be fixed by upgrading cxf-core to 3.2.6. No known solution for CVE-2014-0109 |
portal | ognl | The Object-Graph Navigation Language (OGNL) is vulnerable to a Denial of Service (DoS) as it uses an improper implementation of the cache used to store method references. | The dependency comes from spring-boot-starter-thymeleaf. Need to upgrade to a newer version |
portal portal-sdk | commons-codec | The Apache | |
portal | com.squareup.okhttp3 | CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. The We will not use consul in post dublin release. - PORTAL-613Getting issue details... STATUS | Remove usage of the parent dependency com.orbitz.consul |
portal | com.alibaba | Remove usage of fastjson |