Page History

...

Repository Group Impact Analysis Action

clamp

com.fasterxml.jackson.core

From NexusIQ:

"jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it."

We have added a Jackson wrapper that must be used in the code, it disables the incriminatedfeature. We have also added a unit test to ensure the code is secure.
We will change that library and replace it by another one (GSON)

Jira

server	ONAP JIRA
columns	key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId	425b2b0a-557c-3c0c-b515-579789cceedb
key	CLAMP-236

clamp

angular

It impacts our UI as angular is the skeleton technology used in the code.

Anyway we have mitigated the issue by setting the angular version to 1.3.2 with the least amount of security issue reported by Nexus IQ (for Release 1.XX)

Analyze how to migrate the UI to a recent angular version (> 4.X)

Jira

server	ONAP JIRA
columns	key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId	425b2b0a-557c-3c0c-b515-579789cceedb
key	CLAMP-223

clamp

bootstrap

It impacts our UI as bootstrap (one of the latest version, 4.1.1) is used in clamp code.

We could be impacted by the possible Cross-Site Scripting (XSS) reported by Nexus IQ

Wait until Bootstrap library is fixed or investigate how to delete/replace itbootstrap library 4.1.3 CLAMP is using, doesn't present a vulnerability anymore

Jira

server	ONAP JIRA
columns	key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId	425b2b0a-557c-3c0c-b515-579789cceedb
key	CLAMP-237

...

Space shortcuts

Page tree

Versions Compared

Old Version 8

New Version Current

Key