-
Task
-
Resolution: Done
-
Medium
-
None
-
None
-
DCAE R4 Sprint 5
Following vulnerabilities identified in CLM scan.
1) Evaluation of the risk identified; if not impacted; provide justification on each on why the vulnerability wont apply
2) If impacted, try to upgrade/remove the dependencies if work around exist (check ACTION column)
3) If dependency cannot be removed for Dublin and no non-vulnerable version available, please identify them.
| Repository | Group | Artifact | Version | RISK | Action |
|---|---|---|---|---|---|
| onap-dcaegen2-services-son-handler | com.fasterxml.jackson.core : jackson-databind : 2.9.6 | The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. Workaround: Do not use the default typing. Instead you will need to implement your own.
|
Remove this dependency if workaround exist; if not upgrade to 2.9.8 Unable to render embedded object: File (/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype) not found. |
||
| onap-dcaegen2-services-son-handler | com.fasterxml.jackson.datatype : jackson-datatype-jsr310 : 2.9.6 | Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. | Remove this dependency if workaround exist; if not upgrade to 2.9.8 Unable to render embedded object: File (/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype) not found. |
||
| onap-dcaegen2-services-son-handler | org.codehaus.jackson : jackson-mapper-asl : 1.9.13 | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.Explanation{{jackson-databind}} is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. | No non-vulnerable version available. Request Exception | ||
| onap-dcaegen2-services-son-handler | org.postgresql : postgresql : 42.2.4 | A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.ExplanationThe postgresql package is vulnerable to Man-in-the-Middle (MitM) attacks. When using a non-default SSL Factory, the postgresql jdbc doesn't validate the hostname of SSL certificates. An attacker can potentially exploit this behavior to perform a MitM attack. | Switch to 42.2.5 Unable to render embedded object: File (/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype) not found. |
||
| onap-dcaegen2-services-son-handler | org.springframework : spring-web : 5.0.9.RELEASE | Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. | Switch to 5.0.11.RELEASE Unable to render embedded object: File (/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype) not found. |
||
| onap-dcaegen2-services-son-handler | dom4j : dom4j : 1.6.1 | Description from CVEdom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.ExplanationThe dom4j package is vulnerable to XML Injection. The QName() function in the QName class file does not properly sanitize the QName input attribute value(s). A remote attacker can exploit this vulnerability by injecting an XML object that contains arbitrary code in the element and attribute names, hence leading to XML Injection. | No non-vulnerable version available. Request Exception | ||
| onap-dcaegen2-services-son-handler | org.springframework.data : spring-data-commons-core : 1.0.0.RELEASE | Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption). | No non-vulnerable version available. Request |
- relates to
-
-
- Closed
-