...
| Repository | Group | Impact Analysis | Action | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | ||||||||||||||||||||||||||||||||||||||||
| com.fasterxml.jackson.core | DMaaP client dependency: From Dmaap Security/Vulnerability - Beijing: The application is vulnerable by using this component, when default typing is enabled. Message Router do not use the default typing, so using the jackson-databind will not make message router vulnerable | ||||||||||||||||||||||||||||||||||||||||
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply. | ||||||||||||||||||||||||||||||||||||||||
| aai/esr-server | com.fasterxml.jackson.core | False Positive Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. esr-server doesn't invoke this method, esr-server use new Gson().fromJson(String json, Obj.class) and new Gson().toJson(obj) to deserialization and serialization. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization In esr-server, Gson is used to deserialization and serialization: | ||||||||||||||||||||||||||||||||||||||||
| aai/router-core | org.springframework | This should be fixed if router-core moves to the Casablanca version of aai-schema ingest, see the JIRA ticket for details. |
| |||||||||||||||||||||||||||||||||||||||
| aai/champ | commons-httpclient | False positive. This is imported by hadoop which is used for hbase configs; in Beijing, AAI is configured with Janus on cassandra so it will not be accessing these classes. In Casablanca, Champ will serve as a multi-purpose data broker so we will look to upgrade the hadoop libraries to the most current versions. | ||||||||||||||||||||||||||||||||||||||||
| aai/search-data-service | com.google.guava | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | ||||||||||||||||||||||||||||||||||||||||
| aai/search-data-service | code.libphonumber | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | ||||||||||||||||||||||||||||||||||||||||
| aai/search-data-service | javax.mail | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | ||||||||||||||||||||||||||||||||||||||||
| aai/data-router | org.apache.cxf | This artifact is a child dependency for data-router which comes from camel-cxf:2.22.1, and 2.22.1 is the latest version available for camel-cxf. | ||||||||||||||||||||||||||||||||||||||||
| org.codehaus.groovy | This dependency is a child dependency of org.apache.tinkerpop:gremlin-groovy which is required for traversals. We tried a later version but it is not compatible with the graphdb. | ||||||||||||||||||||||||||||||||||||||||
| com.google.guava | This dependency is a child dependency of Cassandra which is required for the graphdb; newer versions of Cassandra do not upgrade to a non-vulnerable version of this depedency. | ||||||||||||||||||||||||||||||||||||||||
aai/aai-resources aai/cacher aai/aai-common | org.apache.activemq | This vulnerability is dependent on XalanXPathEvaluator.java using an insecure or absent document parser. AAI does not use this function, so it does not apply to AAI | ||||||||||||||||||||||||||||||||||||||||
| aai/aai-traversal aai/graphadmin | io.netty |
| aai/data-router | org.apache.cxf |
|
...