-
Task
-
Resolution: Done
-
High
-
None
-
None
-
DCAE R4 Sprint 7
Following vulnerabilities are identified in CLM scan.
1) Evaluation of the risk identified; if not impacted; provide justification on each on why the vulnerability wont apply
2) If impacted, try to upgrade/remove the dependencies if work around exist. Or upgrade netty/play/zookeeper version as recommended (last column)
If dependency cannot be removed for Dublin (ex: Jackson databind) and no non-vulnerable version available, please identify them and provide a plan on how this could be resolved in future.
onap-dcaegen2-services-bbs-event-processor | org.hibernate : hibernate-validator : 5.2.4.Final | Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). | Upgrade to 5.3.6.Final |
onap-dcaegen2-services-bbs-event-processor | com.fasterxml.jackson.core:jackson-databind:2.97 | The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. Note: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. |
Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release. |
onap-dcaegen2-services-bbs-event-processor | com.fasterxml.jackson.core:jackson-databind:2.97 | jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Workaround: Do not use the default typing. Instead you will need to implement your own. |
Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release. |
onap-dcaegen2-services-bbs-event-processor | com.fasterxml.jackson.core:jackson-databind:2.97 | The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization. Workaround: Do not use the default typing. Instead you will need to implement your own. |
Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release. |
onap-dcaegen2-services-bbs-event-processor | com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.9.7 | The FasterXML jackson-datatype-jsr310 package contains a Denial of Service (DoS) vulnerability. The deserialize() method in the DurationDeserializer class and the _fromDecimal() method in the InstantDeserializer class allow arbitrarily large BigDecimal initialization values. A remote attacker can exploit this vulnerability by crafting and submitting a request that causes the application to deserialize an inordinately large value, causing the application to hang and leading to a DoS situation. The application is vulnerable by using the DurationDeserializer or InstantDeserializer classes of this component to deserialize untrusted data. |
Can request exception if cannot be addressed in time for Dublin; will need to be handled for E release. |