-
Task
-
Resolution: Done
-
Medium
-
None
-
None
-
DCAE R4 Sprint 4, DCAE R4 Sprint 5, DCAE R4 Sprint 6
Following vulnerabilities are identified in CLM scan.
1) Evaluation of the risk identified; if not impacted; provide justification on each on why the vulnerability wont apply
2) If impacted, try to upgrade/remove the dependencies if work around exist. Or upgrade netty/play/zookeeper version as recommended (last column)
3) If dependency cannot be removed for Dublin and no non-vulnerable version available, please identify them and provide a plan on how this could be resolved in future.
| dcaegen2-analytics-pnda | ru.yandex.qatools.camelot | camelot-kafka : jar | 2.4.4 | Description from CVE Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. Explanation Netty is vulnerable to Information Disclosure. Multiple methods in multiple files improperly validate cookie names and values. This allows the presence of single-quote and double-quote characters to break tokenization. A remote attacker can exploit this vulnerability by inducing a victim to send a crafted request containing quote characters in any parameter value that sets a cookie. If that tainted cookie gets reflected in the response, the attacker can then use Cross-Site Scripting (XSS) to potentially retrieve the entire cookie header, despite the presence of an HttpOnly flag. |
if using netty, update to >= 3.9.8.Final, >= 3.10.3.Final or >= 4.1.0.Beta5 if using Play Framework, update to >= 2.3.9 |
| dcaegen2-analytics-pnda | ru.yandex.qatools.camelot | camelot-kafka : jar | 2.4.4 | Description from CVE Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later. | if using zookeeper, upgrade to >= 3.4.10, >= 3.5.3 |