Dublin SO Security/Vulnerability Report

Owned by Amy Zwarico
Last updated: Jun 07, 2019
3 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.

Repository

Group

Impact Analysis

Action

Repository

Group

Impact Analysis

Action

SO

com.fasterxml.jackson.core

False positive

Jackson: can be an issue if we leave on default typing

In SO we do not use default typing. We use strict parsing and validation of deserialized data.

There is no unknown source data  from which SO reads the application data (xml/json).

No Action.

All of the existing jackson databind have vulnerabilities issues.

SO

Commons-beanutils

Remote Code Execution (RCE) using class loader is the reported issue, current SO does not handle the specific scenarios.

No Action

All of the existing jackson databind have vulnerabilities issues.

SO

commons-collections

Pulled in by Springboot, indirect dependency

Will handle in the E - release SO-1778

SO

dom4j

Pulled in by Springboot, indirect dependency

No Action

SO

io.springfox

Used in the  vnfm-service and  vnfm-simulator module

Need to upgrade to 2.7.0,2.8.0 or 2.9.2 versions we will handle in the E release

SO

jquery 1.10.2

Has no direct usage, comes along with the spring boot in the catalog-db-adapter jar. Is not used in the SO functionality

No Action

SO

js-yaml 3.4.6

  • Used only in the simulator code

  • js-yaml.min.js located at vnfm-simulator/vnfm-service/target/vnfm-service-1.4.0-SNAPSHOT.jar/BOOT-INF/lib/springfox-swagger-ui-2.6.1.jar/META-INF/resources/webjars/springfox-swagger-ui/lib

No Action

SO

org.apache.tomcat.embed

Pulled in by Springboot, indirect dependency

Need to upgrade to from 9.0.20 will handle  in the E release

SO

org.slf4j 

Pulled in by Springboot 1.5.13-RELEASE and also specified by SO

Need to upgrade to 1.7.26 will handle in the E release

SO

org.springframework

Pulled in by Springboot

Need to upgrade to 5.0.10 or 5.1.5

Will handle in the E - release SO-1778

SO

org.webjars jquery

Not used in the code comes from the springframework

  • jquery-1.10.2.js located at adapters/mso-catalog-db-adapter/target/mso-catalog-db-adapter-1.4.0-SNAPSHOT.jar/BOOT-INF/lib/spring-data-rest-hal-browser-3.0.10.RELEASE.jar/META-INF/spring-data-rest/hal-browser/vendor/js

No Action

SO

javax.servlet

No direct reference in the code, this should be pulled in by the framework



SO

org.camunda.bpm

Used in the  bpmn module and core module

Need to upgrade 7.11.0-alpha1,7.11.0-alpha2 and 7.11.0-alpha3 we will in the E release

SO

org.json

Used in the  bpmn module, adapters module, mso-api-handler module,  comman modules and asdc-controller

All of the existing jackson databind have vulnerabilities issues.

SO

com.googlecode.libphonenumber

Pulled in by Springboot

Need to upgrade to 7.2.3 or any above.

SO

com.squareup.okhttp

Used by so adapters and vnfm-simulator

All of the existing jackson databind have vulnerabilities issues.

SO

commons-codec

//dependency is mentioned in the main project pom.xml//

All of the existing jackson databind have vulnerabilities issues.

SO

commons-fileupload 

Used by so bpmn module.

Need to upgrade to 1.4

SO

javax.mail

Pulled in by springboot.

All of the existing jackson databind have vulnerabilities issues.

SO

org.springframework.data



need to upgrade to 2.0.14Release or 2.1.6RELEASE and will be handled in the E-release. 

SO

org.springframework.security

Used in so adapters, asdc-controller,bpmn,common,mso-api-handlers,docker and vnfm-simulator.

need to upgrade to 5.0.12Eelease or 5.1.5RELEASE and will be handled in the E-release.

SO

org.webjars bootstrap

Pulled in by springboot.

Need to upgrade to 4.1.3 and will handle in the E-release.

SO

uikit

Pulled in by springboot.

Need to uprade to 2.26.4,2.27.0,2.27.1,2.27.2,2.27.3, 2.27.4 and will handle in the E-release.

SO

org.apache.cxf

Used in so adapters,bpmn,common,cxf-logging,logger and docker.

All of the existing jackson databind have vulnerabilities issues.

SO

com.google.code.findbugs

Used by adapters and common.

All of the existing jackson databind have vulnerabilities issues.

SO

org.hibernate

Used in so adapters,asdc-controller,bpmn, common, mso-api-handlers,mso-catalog-db.(cfg, dialect, exceptions and annotations)

Need to upgrade to 5.3.7.Final and will handle in the E-release

SO

org.hibernate.common

Pulled in by Springboot

All of the existing jackson databind have vulnerabilities issues.

SO

org.mariadb.jdbc

Driver is used by yaml files for maraidb connection in modules :adapters,mso-catalog-db,mso-api-handlers,bpmn and asdc-controller.

All of the existing jackson databind have vulnerabilities issues.

SO libs

com.fasterxml.jackson.core

False positive

Jackson: can be an issue if we leave on default typing 

In SO we do not use default typing. We use strict parsing and validation of deserialized data.

There is no unknown source data  from which SO reads the application data (xml/json).

No Action

All of the exisiting jackson have vunerabilities issues.

SO libs

commons-codec

This is used for the decoding of the input. contains an Improper Input Validation vulnerability. The only way is to use extra validations added before the actual input

There is no non vulnerable version of this component. We recommend investigating alternative components or a potential mitigating control.