Versions Compared

Old Version 2

changes.mady.by.user James Forsyth

Saved on

compared with

New Version 3

changes.mady.by.user James Forsyth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

False Positive.

The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:

  1. ObjectMapper.enableDefaultTyping()
  2. @JsonTypeInfo for marshalling / unmarshalling an object
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply.
RepositoryGroupImpact AnalysisAction
  • aai/model-loader
  • aai/babel
  • aai/sparky-be
  • aai/data-router
  • aai/aai-resources
  • aai/aai-traversal
  • aai/event-client
  • aai/gizmo
  • aai/champ
  • aai/search-data-service
  • aai/aai-common
com.fasterxml.jackson.core

False Positive.

The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:


  1. ObjectMapper.enableDefaultTyping()
  2. @JsonTypeInfo for marshalling / unmarshalling an object


By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply.


  • aai/event-client
com.fasterxml.jackson.core

DMaaP client dependency:

From Dmaap Security/Vulnerability - Beijing: The application is vulnerable by using this component, when default typing is enabled. Message Router do not use the default typing, so using the jackson-databind will not make message router vulnerable

aai/aai-commoncom.fasterxml.jackson.core



  • aai/aai-resouces
  • aai/aai-traversal
  • aai/champ
  • aai/aai-common
org.codehaus.jackson

False Positive.

The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object.  There are two ways of doing this:


  1. ObjectMapper.enableDefaultTyping()
  2. @JsonTypeInfo for marshalling / unmarshalling an object


By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply.



aai/esr-servercom.fasterxml.jackson.core

False Positive

Explanation:

This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization.

esr-server doesn't invoke this method, esr-server use new Gson().fromJson(String json, Obj.class) and new Gson().toJson(obj) to deserialization and serialization.

https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization

In esr-server, Gson is used to deserialization and serialization:

https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/EmsManagerWrapper.java;h=588baad96c7942e83e0670784bbf423505c7b194;hb=HEAD

https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/ThirdpartySdncWrapper.java;h=874205920c156f12df0bc591638a24e3f5575c76;hb=HEAD

https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/VimManagerWrapper.java;h=fe44536cecb3f9ae9eaa3d99ff7b2d52511e2d52;hb=HEAD

https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/wrapper/VnfmManagerWrapper.java;h=8c7c5d39ceadff5e17f9c6d26d5540be49ada070;hb=HEAD

https://gerrit.onap.org/r/gitweb?p=aai/esr-server.git;a=blob;f=esr-mgr/src/main/java/org/onap/aai/esr/util/ExtsysUtil.java;h=3bd01772356055e9711705b8518d55f1678b5179;hb=HEAD


aai/champcommons-httpclient

False positive. This is imported by hadoop which is used for hbase configs; in Beijing, AAI is configured with Janus on cassandra so it will not be accessing these classes. In Casablanca, Champ will serve as a multi-purpose data broker so we will look to upgrade the hadoop libraries to the most current versions.




...