Uploaded image for project: 'Data Collection, Analytics, and Events'
  1. Data Collection, Analytics, and Events
  2. DCAEGEN2-2768

SECCOM - DCAE Vulnerability updates for Istanbul

XMLWordPrintable

      Address vulnerabilities identified by SECCOM under  https://wiki.onap.org/display/SV/Istanbul+DCAE 

      Below is current list as of 05/13/2021 identified by SECCOM.

      Project’s assessment/Istanbul Target (M2) updated as of 06/01 (revised 06/28 for tomcat-embed-core)

      dcaegen2-analytics-tca-gen2 - DCAEGEN2-2803

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 2 netty-handler : 4.1.54.Final 6
      5      		 4.1.63 FINAL Update to SECCOM recommended version
      07/16/2021 - This library is no longer utilized by TCA (latest CLM report do no flag this vulnerability)
      OPEN 2 io.springfox : springfox-swagger2 : 3.0.0 5 ??? Already on latest version; no change for istanbul rls
      OPEN 2 undertow-core : 2.2.2.Final 5
      4      		 2.2.7.Final As there is 2.2.8.Final available; will try upgrade to the latest for Istanbul 
      OPEN 2 httpclient : 4.5.8 5 4.5.13 Update to SECCOM recommended version

      dcaegen2-collectors-datafile - DCAEGEN2-2804

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 1 org.apache.tomcat.embed : tomcat-embed-core : 9.0.39 7
      7
      7
      5      		 ???  No new non-vulnerable version available currently.
      9.x latest is 9.0.46 however 10.0.6 is most current/latest.
      Try upgrade to latest version (10.0.6) for Istanbul 
      06/28/21 - Recommendation to go with 9.0.46 for Istanbul 
      OPEN 1 spring-web : 5.3.1 9 5.3.6 As there is 5.3.7 available; will try upgrade to the latest for Istanbul 
      OPEN 2 io.springfox : springfox-swagger2 : 2.9.2 5 ??? No new non-vulnerable version available; 
      will try upgrading to latest version (3.0.0) for Istanbul

      onap-dcaegen2-collectors-restconf

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 2 io.springfox : springfox-swagger2 : 3.0.0 5 ???  Already on latest version; no change for istanbul rls

      dcaegen2-collectors-ves

      Status Priority Component name and version CVE Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 2 io.springfox : springfox-swagger2 : 3.0.0 SONATYPE-2020-0907 5 ???  Already on latest version; no change for istanbul rls

      dcaegen2-platform-inventory-api

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 2 httpclient : 4.5.8 5 4.5.13 Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm
      OPEN 2 org.hibernate : hibernate-validator : 5.4.3.Final 6
      5      		 7.0.1.Final Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm

      dcaegen2-platform-mod-runtimeapi - DCAEGEN2-2805

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 1 commons-io : commons-io : 2.6
             		 7 2.8.0  As there is 2.9.0 available; will try upgrade to the latest for Istanbul

      dcaegen2-platform-servicechange-handler

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 1 jackson-dataformat-cbor : 2.9.9 7 2.12.3  Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm
      OPEN 1 snakeyaml : 1.14 7 1.28  Repo will be archived for Istanbul; Continue Honolulu version until fully migrated to Helm

      dcaegen2-services-bbs-event-processor

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 2 io.springfox : springfox-swagger2 : 3.0.0 5 ???  Already on latest version; no change for istanbul rls

      dcaegen2-services-mapper - DCAEGEN2-2806

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 1 xstream : 1.4.11.1 9
      9
      9
      9
      9
      9
      8
      8
      7
      7
      7
      6      		 1.4.16 As there is 1.4.17 available with no policy voilation, try upgrading to it for Istanbul
      OPEN 1 log4j : 1.2.17 9 2.14.1 (log4j-core) 1.2.17 is the latest version; log4j-core is different library. No change for istanbul
      OPEN 2 httpclient : 4.5.8 5 4.5.13 Update per SECCOM recommended version
      OPEN 2  xercesImpl : 2.12.1 5 ??? Already on latest; no change for istanbul
      OPEN   org.codehaus.groovy : groovy-all : 2.4.14 6   Select 2.4.21: Next version with no policy violation

      dcaegen2-services-pm-mapper - DCAEGEN2-2807

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 1 freemarker : 2.3.28 7 2.3.31  Update per SECCOM recommended version
      OPEN 2 undertow-core : 2.0.30.Final 5
      4
      4      		 2.2.7.Final  As there is 2.2.8.Final available;  will try upgrade to the latest for Istanbul 
      OPEN 2 httpclient : 4.5.7 5 4.5.13  Not flagged in latest nexus report however update per SECCOM recommended version

      dcaegen2-services-prh- DCAEGEN2-2808

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 1 org.apache.tomcat.embed : tomcat-embed-core : 9.0.41 7
      7      		 ??? No new non-vulnerable version available currently.
      9.x latest is 9.0.46 however 10.0.6 is most current/latest.
      Try upgrade to latest version (10.0.6) for Istanbul 
      06/28/21 - Recommendation to go with 9.0.46 for Istanbul
      OPEN 1 org.springframework : spring-web : 5.3.3.RELEASE 9
      6      		 5.3.6 RELEASE As there is 5.3.7 available; will try upgrade to the latest for Istanbul 

      dcaegen2-services-son-handler - DCAEGEN2-2809

      Status Priority Component name and version Threat level Recommended version Project’s assessment/Istanbul Target (M2)
      OPEN 1 org.apache.tomcat.embed : tomcat-embed-core : 9.0.39 7
      7
      7
      5      		 ??? No new non-vulnerable version available currently.
      9.x latest is 9.0.46 however 10.0.6 is most current/latest.
      Try upgrade to latest version (10.0.6) for Istanbul 
      06/28/21 - Recommendation to go with 9.0.46 for Istanbul
      OPEN 1 org.springframework : spring-web : 5.2.10.RELEASE 9 5.3.6 RELEASE As there is 5.3.7 available; will try upgrade to the latest for Istanbul 
      OPEN 2 httpclient : 4.5.7 5 4.5.13 Update per SECCOM recommended version
      OPEN 2  jetty-server : 9.4.17.v20190418 4 9.4.40.v20210413 Update per SECCOM recommended version

       

       

      dcaegen2-services-kpi-computation-ms - DCAEGEN2-2810

       

      Status Priority Component name and version Threat level Recommended version Project’s assessment
      OPEN   io.undertow : undertow-core : 2.0.30.Final      As there is 2.2.8.Final available;  will try upgrade to the latest for Istanbul 
      OPEN   org.springframework : spring-web : 5.2.7.RELEASE      5.3.6 RELEASE or 5.3.7 
      OPEN   io.undertow : undertow-servlet : 2.0.30.Final     Select 2.0.34.Final - next version with no policy violation or upgrade to latest 2.2.8.Final
      OPEN   org.apache.httpcomponents : httpclient : 4.5.7      Select 4.5.13: Next version with no policy violation
      OPEN   org.eclipse.jetty : jetty-server : 9.4.17.v20190418     9.4.41.v20210516

       

      dcaegen2-services-slice-analysis-ms - DCAEGEN2-2811**
       

      dcaegen2-services-slice-analysis-ms

      Status Priority Component name and version Threat level Recommended version Project’s assessment
      OPEN 1 org.apache.tomcat.embed : tomcat-embed-core : 9.0.36 7
      7
      7
      7
      5
      4      		 9.0.46  No new non-vulnerable version available currently.
      9.x latest is 9.0.46 however 10.0.6 is most current/latest.
      Try upgrade to latest version (10.0.6) for Istanbul 
      06/28/21 - Recommendation to go with 9.0.46 for Istanbul
      OPEN 1 postgresql : 42.2.5 7 42.2.13  Select 42.2.13: Next version with no policy violation
      OPEN 1 org.springframework : spring-web : 5.3.3.RELEASE 9
      7
      6      		 5.3.6 RELEASE  5.3.6 RELEASE or 5.3.7|
      OPEN 2 httpclient : 4.5.7 5 4.5.13  Select 4.5.13: Next version with no policy violation
      OPEN 2  jetty-server : 9.4.17.v20190418 4 9.4.41.v20210516:  9.4.41.v20210516

        1.
        		 TCAgen2 security vulnerability updates Sub-task Closed sumithra  
        2.
        		 DFC security vulnerability updates Sub-task Closed deen1985  
        3.
        		 Mapper security vulnerability updates Sub-task Closed mukesh.paliwal  
        4.
        		 PM-Mapper security vulnerability updates Sub-task Closed joannajeremicz  
        5.
        		 PRH security vulnerability updates Sub-task Closed pmarcink  
        6.
        		 SON-Handler security vulnerability updates Sub-task Closed niranjana  
        7.
        		 KPI-MS security vulnerability updates Sub-task Closed denilson.l65  
        8.
        		 Slice-Analysis MS security vulnerability updates Sub-task Closed shwetha_r

        100%
        Original Estimate - 0 minutes Original Estimate - 0 minutes
        Time Spent - 4 days

            vv770d vv770d
            vv770d vv770d
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 days
                4d