Versions Compared

Old Version 1

changes.mady.by.user Kenny Paul

Saved on

compared with

New Version 2

changes.mady.by.user James Forsyth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

serverId
  • aai
/champ

False Positive.

The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:

  • ObjectMapper.enableDefaultTyping()
    • @JsonTypeInfo for marshalling unmarshalling an object

    By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply.

    /aai code base is not using either approach, so the possibility of the exploit vector does not apply.

    There is no newer version of the dependency to upgrade to.

    Issue is a false positive.

    This vulnerability is dependent on XalanXPathEvaluator.java using an insecure or absent document parser. AAI is not using this class.
    RepositoryGroupImpact AnalysisAction
    • aai/model-loader
    • aai/babel
    • aai/sparky-be
    • aai/data-router
    • aai/aai-resources
    • aai/aai-traversal
    • aai/event-client
    • aai/gizmo
    • aai/champ
    • aai/search-data-service
    		com.fasterxml.jackson.core

    False Positive.

    The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:


    1. ObjectMapper.enableDefaultTyping()
    2. @JsonTypeInfo for marshalling / unmarshalling an object


    By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply.


    • aai/event-client
    		com.fasterxml.jackson.core

    DMaaP client dependency:

    From Dmaap Security/Vulnerability - Beijing: The application is vulnerable by using this component, when default typing is enabled. Message Router do not use the default typing, so using the jackson-databind will not make message router vulnerable



    aai/aai-commoncom.fasterxml.jackson.core

    False Positive.

    The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:


    1. ObjectMapper.enableDefaultTyping()
    2. @JsonTypeInfo for marshalling / unmarshalling an object


    By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply.


    • aai/aai-resouces
    • aai/aai-traversal
    • aai/champ
    		org.codehaus.jackson

    False Positive.

    The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:

    1. ObjectMapper.enableDefaultTyping()
    2. @JsonTypeInfo for marshalling / unmarshalling an object

    By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply.

    Jira
    serverONAP JIRA
    columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
    keyAAI-900
    425b2b0a-557c-3c0c-b515-579789cceedborg.codehaus.jackson
    • /
    • aai
    • -common
    		org.codehaus.jackson

    False Positive.

    The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:


    1. ObjectMapper.enableDefaultTyping()
    2. @JsonTypeInfo for marshalling / unmarshalling an object


    By default the ObjectMapper does not enableDefaultTyping, the

    		aai/search-data-servicecom.fasterxml.jackson.core

    False Positive.

    The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:

    1. ObjectMapper.enableDefaultTyping()
    2. @JsonTypeInfo for marshalling / unmarshalling an object

    By default the ObjectMapper does not enableDefaultTyping, the search service is resources code bases are not using either approach, so the possibility of the exploit vector does not apply.



    aai/esr-servercom.fasterxml.jackson.core

    False Positive

    Explanation:

    This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

    esr-server doesn't invoke this method, esr-server use new Gson().fromJson(String json, Obj.class) and new Gson().toJson(obj) to deserialization and serialization.

    https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization

    In esr-server, Gson is used to deserialization and serialization:

    https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/EmsManagerWrapper.java;h=588baad96c7942e83e0670784bbf423505c7b194;hb=HEAD

    https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/ThirdpartySdncWrapper.java;h=874205920c156f12df0bc591638a24e3f5575c76;hb=HEAD

    https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/VimManagerWrapper.java;h=fe44536cecb3f9ae9eaa3d99ff7b2d52511e2d52;hb=HEAD

    https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/VnfmManagerWrapper.java;h=8c7c5d39ceadff5e17f9c6d26d5540be49ada070;hb=HEAD

    https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/util/ExtsysUtil.java;h=3bd01772356055e9711705b8518d55f1678b5179;hb=HEAD

    • aai/aai-resources
    • aai/aai-traversal
    • aai/aai-common
    		org.apache.activemq


    aai/champcommons-httpclient

    False positive. This is imported by hadoop which is used for hbase configs; in Beijing, AAI is configured with Janus on cassandra so it will not be accessing these classes. In Casablanca, Champ will serve as a multi-purpose data broker so we will look to upgrade the hadoop libraries to the most current versions.




    ...