...
| Repository | Group | Impact Analysis | Action | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |||||||||||
| com.fasterxml.jackson.core | DMaaP client dependency: From Dmaap Security/Vulnerability - Beijing: The application is vulnerable by using this component, when default typing is enabled. Message Router do not use the default typing, so using the jackson-databind will not make message router vulnerable | |||||||||||
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply. | |||||||||||
| aai/esr-server | com.fasterxml.jackson.core | False Positive Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. esr-server doesn't invoke this method, esr-server use new Gson().fromJson(String json, Obj.class) and new Gson().toJson(obj) to deserialization and serialization. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization In esr-server, Gson is used to deserialization and serialization: | |||||||||||
| aai/champ | commons-httpclient | False positive. This is imported by hadoop which is used for hbase configs; in Beijing, AAI is configured with Janus on cassandra so it will not be accessing these classes. In Casablanca, Champ will serve as a multi-purpose data broker so we will look to upgrade the hadoop libraries to the most current versions. | |||||||||||
| aai/search-data-service | com.google.guava | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | |||||||||||
| aai/search-data-service | code.libphonumber | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | |||||||||||
| aai/search-data-service | javax.mail | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | |||||||||||
aai/data-router | org.apache.cxf | This artifact is a child dependency for data-router which comes from camel-cxf:2.22.1, and 2.22.1 is the latest version available for camel-cxf. | |||||||||||
| org.codehaus.groovy | This dependency is a child dependency of org.apache.tinkerpop:gremlin-groovy which is required for traversals. We tried a later version but it is not compatible with the graphdb. | |||||||||||
| com.google.guava | This dependency is a child dependency of Cassandra which is required for the graphdb; newer versions of Cassandra do not upgrade to a non-vulnerable version of this depedency. | |||||||||||
aai/aai-resources aai/cacher aai/aai-common | org.apache.activemq | This vulnerability is dependent on XalanXPathEvaluator.java using an insecure or absent document parser. AAI does not use this function, so it does not apply to AAI | |||||||||||
| aai/esr-server | com.smoketurner.dropwizard | Can the security team show the AAI/ESR team how this component is showing up the dependencies? If you look at the dependency tree it's not called out, so we are not sure how to proceed: https://jenkins.onap.org/job/aai-esr-server-maven-clm-master/12/consoleFull From Pawel: "as it is related to - jackson-databind is vulnerable to Remote Code Execution (RCE). Please simply add this line into your analysis." | |||||||||||
| aai/champ | org.apache.hadoop |
| |||||||||||
| org.springframework.boot (child dependency has tomcat embed) |
| |||||||||||
| aai/aai-common | org.spring-web |
| |||||||||||
| aai/spike | org.spring-web |
| |||||||||||
| aai/chameleon | commons-fileupload |
| |||||||||||
| aai/chameleon | commons-codec |
| |||||||||||
| aai/event-client | com.rabbitmq |
|
...