El Alto Logging Security/Vulnerability Report

logging-analytics

org.springframework

CVE-2018-15756

effective

yes

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Tracked by LOG-1159: Vulnerability issue: logging-analytics version 5.0.9.RELEASEClosed for Frankfurt.

logging-analytics-pomba-pomba-aai-context-builder

com.fasterxml.jackson.core

N/A

effective

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-aai-context-builder

com.fasterxml.jackson.core

CVE-2019-12384

effective

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-aai-context-builder

com.fasterxml.jackson.core

CVE-2019-12814

effective

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-context-aggreator

com.fasterxml.jackson.core

N/A

effective

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-context-aggregator

com.fasterxml.jackson.core

CVE-2019-12384

effective

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-context-aggregator

com.fasterxml.jackson.core

CVE-2019-12814

effective

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-network-discovery-context-builder

com.fasterxml.jackson.core

N/A

effective

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-network-discovery-context-builder

com.fasterxml.jackson.core

CVE-2019-12384

effective

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-network-discovery-context-builder

com.fasterxml.jackson.core

CVE-2019-12814

effective

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-network-discovery-context-builder

handlebars

N/A

effective - pulled in by swagger

no

The handlebars package is vulnerable to Remote Code Execution (RCE). Several functions in several files, as listed below, contain a “lookup” helper which does not properly verify object types. If a remote attacker is able to influence the object instance, they can execute arbitrary code on the target system.

Pulled in by swagger, no solution yet.  

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

logging-analytics-pomba-pomba-network-discovery-context-builder

handlebars

N/A

ineffective - no javascript

no

The handlebars package is vulnerable to Prototype Pollution. The JavaScriptCompiler() function in the javascript-compiler.js file fails to restrict access to the constructor from templates. A remote attacker with the ability to inject templates into the handlebars setup can exploit this vulnerability by supplying a template containing malicious JavaScript. The attacker can leverage this issue to inject malicious JavaScript into the constructor property, resulting in script execution when the application processes the template.

Pulled in by swagger, no solution yet.  

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

logging-analytics-pomba-pomba-network-discovery-context-builder

handlebars

N/A

ineffective - no javascript

no

The handlebars package is vulnerable to Cross-Site Scripting (XSS). The file utils.js contains the method escapeExpression() and its helper method escapeChar(). The method escapeExpression(), via escapeChar(), only escapes > < and `, " or ' (back tick, double quote, single quote) characters and not the = equal sign. Cross-Site Scripting attacks with equals characters will be accepted. The escapeExpression() method is invoked in two ways. (1) It can be called directly as a utility method and/or (2) the framework invokes it when double curly braces are used (as opposed to the triple curly which preforms no escaping). A consumer of this library, either through use of double curly brackets or by calling the escapeExpression() method, expects the returned string to be safe for output to a HTML page. If this functionality is used with user controllable data, an attacker can exploit this vulnerability by crafting an input that injects JavaScript into the page leading to an XSS attack.

Pulled in by swagger, no solution yet.  

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

logging-analytics-pomba-pomba-network-discovery-context-builder

js-yaml

N/A

pulled in by swagger

No

The js-yaml package is vulnerable to Remote Code Execution (RCE). The storeMappingPair() function in the loader.js file allows for the execution of code contained within a toString property in provided yaml data. A remote attacker can exploit this vulnerability by submitting malicious yaml data with a toString property that contains malicious code. This will result in the execution of the attacker-provided code when the application attempts to process the yaml data.

Track by LOG-1118: Logging/POMBA CLM: fix/address/red-flag js-yaml SECClosed

logging-analytics-pomba-pomba-network-discovery-context-builder

js-yaml

N/A

pulled in by swagger

No

The js-yaml package is vulnerable to a Denial of Service (DoS) attack. The storeMappingPair() function in the loader.js file fails to disallow nested arrays as map keys. A remote attacker can exploit this vulnerability by submitting malicious yaml containing deeply nested data structures that reference each other. This will result in exponential expansion and ultimately a DoS condition when the application attempts to process the provided yaml.

Track by LOG-1118: Logging/POMBA CLM: fix/address/red-flag js-yaml SECClosed

logging-analytics-pomba-pomba-network-discovery-context-builder

uikit

N/A

pulled in by swagger

The uikit package is vulnerable to Regular Expression Denial of Service (ReDoS). The htmleditor.html file uses an old version of the marked package that has a ReDoS vulnerability in it. A remote attacker can exploit this vulnerability by crafting a malicious regular expression and sending it to the vulnerable server which can result in the event loop getting blocked for excessive amounts of time and will potentially consume all available CPU resources.

Track by https://lf-onap.atlassian.net/browse/LOG-1117

logging-analytics-pomba-pomba-sdc-context-builder

com.fasterxml.jackson.core

N/A

effective

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-sdc-context-builder

com.fasterxml.jackson.core

CVE-2019-12384

effective

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-sdc-context-builder

com.fasterxml.jackson.core

CVE-2019-12814

effective

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-sdc-context-builder

jQuery

N/A

effective

yes

The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code.

pulled in by swagger, upgrade to version 3.x

https://lf-onap.atlassian.net/browse/LOG-1101

logging-analytics-pomba-pomba-sdc-context-builder

jQuery

N/A

effective

yes

The jQuery package is vulnerable to Cross-Site Scripting (XSS). The parseHTML() function in the parseHTML.js, jquery.js files allow JavaScript to be executed immediately when it's embedded within the event attributes. An attacker can exploit this vulnerability by injecting malicious JavaScript containing events handlers which, when rendered, results in the execution of arbitrary script.

pulled in by swagger, upgrade to version 3.x

https://lf-onap.atlassian.net/browse/LOG-1101

logging-analytics-pomba-pomba-sdc-context-builder

commons-codec

N/A

ineffective - only used in JUnit

no

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

pulled in by 

<groupId>org.onap.sdc.sdc-tosca</groupId>
<artifactId>sdc-tosca</artifactId>

Depends on SDC

logging-analytics-pomba-pomba-sdnc-context-builder

com.fasterxml.jackson.core

N/A

effective

jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-sdnc-context-builder

com.fasterxml.jackson.core

CVE-2019-12384

effective

FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-sdnc-context-builder

com.fasterxml.jackson.core

CVE-2019-12814

effective

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Currently no good version can be upgraded to.  Further investigation is needed.  Tracked by LOG-1160: Vulnerability issue: jackson-databind 2.9.9Closed to investigate further in Frankfurt.

logging-analytics-pomba-pomba-sdnc-context-builder

handlebars

N/A

effective - pulled in by swagger

no

The handlebars package is vulnerable to Remote Code Execution (RCE). Several functions in several files, as listed below, contain a “lookup” helper which does not properly verify object types. If a remote attacker is able to influence the object instance, they can execute arbitrary code on the target system.

Pulled in by swagger, no solution yet.  

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

logging-analytics-pomba-pomba-sdnc-context-builder

handlebars

N/A

ineffective - no javascript

no

The handlebars package is vulnerable to Prototype Pollution. The JavaScriptCompiler() function in the javascript-compiler.js file fails to restrict access to the constructor from templates. A remote attacker with the ability to inject templates into the handlebars setup can exploit this vulnerability by supplying a template containing malicious JavaScript. The attacker can leverage this issue to inject malicious JavaScript into the constructor property, resulting in script execution when the application processes the template.

Pulled in by swagger, no solution yet.  

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

logging-analytics-pomba-pomba-sdnc-context-builder

handlebars

N/A

ineffective - no javascript

no

The handlebars package is vulnerable to Cross-Site Scripting (XSS). The file utils.js contains the method escapeExpression() and its helper method escapeChar(). The method escapeExpression(), via escapeChar(), only escapes > < and `, " or ' (back tick, double quote, single quote) characters and not the = equal sign. Cross-Site Scripting attacks with equals characters will be accepted. The escapeExpression() method is invoked in two ways. (1) It can be called directly as a utility method and/or (2) the framework invokes it when double curly braces are used (as opposed to the triple curly which preforms no escaping). A consumer of this library, either through use of double curly brackets or by calling the escapeExpression() method, expects the returned string to be safe for output to a HTML page. If this functionality is used with user controllable data, an attacker can exploit this vulnerability by crafting an input that injects JavaScript into the page leading to an XSS attack.

Pulled in by swagger, no solution yet.  

LOG-827: Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+Closed

logging-analytics-pomba-pomba-sdnc-context-builder

js-yaml

N/A

pulled in by swagger

The js-yaml package is vulnerable to Remote Code Execution (RCE). The storeMappingPair() function in the loader.js file allows for the execution of code contained within a toString property in provided yaml data. A remote attacker can exploit this vulnerability by submitting malicious yaml data with a toString property that contains malicious code. This will result in the execution of the attacker-provided code when the application attempts to process the yaml data. The application is vulnerable by using the load() function in this component to process user-supplied yaml data.

Track by LOG-1118: Logging/POMBA CLM: fix/address/red-flag js-yaml SECClosed

logging-analytics-pomba-pomba-sdnc-context-builder

js-yaml

N/A

pulled in by swagger

The js-yaml package is vulnerable to a Denial of Service (DoS) attack. The storeMappingPair() function in the loader.js file fails to disallow nested arrays as map keys. A remote attacker can exploit this vulnerability by submitting malicious yaml containing deeply nested data structures that reference each other. This will result in exponential expansion and ultimately a DoS condition when the application attempts to process the provided yaml.

Track by LOG-1118: Logging/POMBA CLM: fix/address/red-flag js-yaml SECClosed

logging-analytics-pomba-pomba-sdnc-context-builder

uikit

N/A

pulled in by swagger

The uikit package is vulnerable to Regular Expression Denial of Service (ReDoS). The htmleditor.html file uses an old version of the marked package that has a ReDoS vulnerability in it. A remote attacker can exploit this vulnerability by crafting a malicious regular expression and sending it to the vulnerable server which can result in the event loop getting blocked for excessive amounts of time and will potentially consume all available CPU resources.Tr

Track by https://lf-onap.atlassian.net/browse/LOG-1117