Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Zoom security issues 

Orange team will be banned next week to use zoom due to security reasons. AT&T is not using zoom for internal business - but ONAP is treated as open source, so zoom is allowed.

In Samsung zoom can be used by exception.

Zoom for the next 90 days will focus on fixining vulnerabilities and not delivering new features. Amy shared the link to blog with description of zoom vulnerabilities. Bad cryptography is one of the biggest issues as of today for zoom. 


It is crucial to apply all the updates coming from zoom with vulnerabilities fixes.

We continue using our new zoom! 


Latest feedback received from Integration team

Morgan shared following feedback:

  • no more jpdw ports exposed
  • no CVE reported on k8s by aquasecurity kube-hunter
  • in // there is only 1 HTTP port exposed publicly (music) – (no OJSI as it appeared after the scans) so not far to reach also the green light here 
  • still lots of rooted pods (34 vs. 210 2 weeks ago)
  • special thanks to Pawel W. who wrote most of the tests!





For the only HTTP port exposed - action Amy – to contact PTL Bharath. - no OJSI ticket assigned as it should have appeared after our scans or component was not responding at the scanning moment. No value to open an additional tickets. MUSIC team should either: remove http, switch to https or ask for a waiver with justification.


Virtual ONAP event
  • SECCOM Guilin security requirements update - Paweł
  • Holistic view of ONAP security – Krzysztof/Amy
    • Access control
    • Storing permission
    • Hardening
    • Logging 
    • Gaps identified
  • Akraino reference for security documentation - Amy
  • CNTT alignment meeting – to be consulted with Samuli
  • Service Mesh – analysis and then with Architecture Subcommittee - Krzysztof
  • Logs management evolution in ONAP - Pawel
  • VNF security requirements - Amy
  • Package upgrade strategy – Amy/Pawel
  • Communication matrix - Natacha
  • Password removal continued and no hardcoded passwords for a new code - Krzysztof







We should come back to Architecture Subcommittee with a proposal for Service Mesh and once approved we should apprach TSC for a recommendation.


Guilin package upgrade proposal.

Availble here. Under restricted access Wiki information about direct dependency vulnerabilities and recommended upgrade version is provided per repository. Additionally status column should reflect actual status of the upgrade process. Priority 1 is the highest and reflects critical vulnerabilities for upgrade. Priority 2 reflects severe level vulnerabilities. Each project will have all the info in one place under its dedicated Wiki. Per each project there will be ajira ticket open with link to the Wiki. In some cases we will not eliminate all vulnerbilities but we will significantly reduce them.

CLAMP is the first project without any direct vulnerability - congratulations to Martial and project team!




Jira report update

Report is available here.

OJSI-145 on the whitelist - to be checked why. 3 issues from SDC, one issue from VES colector blocked by some integration testing. For VNFSDK - whu they still exposing JDWP? OOM made a really good progress with passwords removal around MariaDB-galera.

Morgan reprts scan results of the current ONAP instance. We expect hash commit for removing the vulnerability for transparency.






Message to be shared with PTLs.


New zoom bridge for SECCOMKenny shared good news. We have a dedicated zoom for SECCOM purposes.


Service Mesh risk analysis – meeting summary available here

Service mesh requirements from security perspective followed by risk analysis. Logging was discussed with special focus on Fluentd.

Fabian created a platform for service mesh. UDP not supported in service mesh?  




UDP support in service mesh - to be further elaborated. Link provided by Krzysztof https://istio.io/docs/ops/configuration/traffic-management/protocol-selection/


Images

Lacking image for Go. Ubuntu 18.04 LTS. CoreOS used by ETCD. ETCD is used by MultiCloud. But the point was to update CentOS version.

Tool that could be used for drawing graphes for a single image and manage to merge them into a single one.




Hackathon for httpsSelf-signed tls certificates to be used around begining of the release. Same methodology to be used by all projects. by M1 support for https, then Hackathon organized and by M2 everyone is integrated with AAF.


 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 14th OF APRIL'20


View file
name2020-04-07_SECCOM_week.mp4
height150

View file
name2020-04-07 ONAP Security Meeting - AgendaAndMinutes.pptx
height150