Skip to end of metadata
Go to start of metadata

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.


Note : the shaded lines in the table below are vulnerabilities inherited from upstream projects on which we depend.  The direct dependency is listed in the Impact Analysis section.  Many of these are from the OpenDaylight Oxygen distribution, on which much of SDNC is based.  These vulnerabilities will be reported as CVEs to the OpenDaylight project so they can address them.


There are several vulnerabilities in used libraries that are noted.  To mitigate the risk of exposure it is recommended that secure network design is used to avoid any unnecessary access to SDNC.

RepositoryGroupImpact AnalysisAction
sdnc/apps, sdnc/oamch.qos.logbackFalse positive : only applies if logs are written to sockets (e.g. syslog), which does not apply in our case

No action needed

sdnc/oamcom.fasterxmlFalse positive : only applies if data format extension is used, which does not applyNo action needed
sdnc/oamcom.fasterxmlInherited from OpenDaylightMust be addressed in upstream OpenDaylight project
sdnc/apps, sdnc/northboundcom.fasterxml.jackson.core

Fixed in version 2.8.6

Will be updated to 2.8.9 in maintenance release (See CCSDK-765 - Getting issue details... STATUS )

sdnc/appscom.fasterxml.jackson.coreFixed in version 2.8.8.1

Will be updated to 2.8.9 in maintenance release (See CCSDK-765 - Getting issue details... STATUS )

sdnc/oamcom.fasterxml.jackson.coreFixed in version 2.8.8.1

Will be updated to 2.8.9 in maintenance release (See CCSDK-765 - Getting issue details... STATUS )

sdnc/appscom.fasterxml.jackson.coreInherited from spring-bootMust be addressed in upstream spring-boot
sdnc/appscom.fasterxml.jackson.coreInherited from spring-bootMust be addressed in upstream spring-boot
sdnc/appscom.fasterxml.jackson.coreInherited from spring-bootMust be addressed in upstream spring-boot
sdnc/appscom.fasterxml.jackson.coreInherited from spring-bootMust be addressed in upstream spring-boot
sdnc/oamcom.google.guavaInherited from gjsonpatch 0.2.1

Fix targeted for maintenance release (See SDNC-536 - Getting issue details... STATUS )

sdnc/apps, sdnc/northboundcom.google.guavaInherited from swagger-coreMust be addressed in upstream swagger-core
sdnc/oamdom4jInherited from spring-boot

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/northboundjavax.mailInherited from OpenDaylightMust be addressed in upstream OpenDaylight project
sdnc/oamorg.apache.commonsInherited from zjsonpatch 0.2.1

Fix targeted for maintenance release (See SDNC-536 - Getting issue details... STATUS )

sdnc/northbound, sdnc/oamorg.apache.karaf.jaasInherited from OpenDaylightMust be addressed in upstream OpenDaylight project
sdnc/northbound, sdnc/oamorg.apache.karaf.jaasInherited from OpenDaylightMust be addressed in upstream OpenDaylight project
sdnc/oamorg.apache.logging.log4jInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.apache.tomcat.embedInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.codehaus.jacksonInherited from spring-bootMust be addressed in upstream spring-boot
sdnc/oamorg.hibernateInherited from spring-boot version 1.5.4-RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframeworkFixed in version 4.3.15.RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/apps, sdnc/northboundorg.springframeworkFixed in version 4.3.15.RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/appsorg.springframeworkFixed in version 4.3.17.RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframeworkFixed in version 4.3.15.RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/apps, sdnc/northboundorg.springframeworkFixed in version 4.3.17.RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/apps, sdnc/northboundorg.springframeworkFixed in version 4.3.15.RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/apps, sdnc/northboundorg.springframeworkFixed in version 4.3.17.RELEASE

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/appsorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/appsorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/apps, sdnc/northboundorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/apps, sdnc/northboundorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframeworkFixed in version 4.3.15

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/appsorg.springframeworkFixed in version 4.3.18

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframework.dataFixed in version 1.13.11

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframework.dataFixed in version 1.13.11

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/oamorg.springframework.dataFixed in version 1.13.12

Must upgrade to spring-boot version 2.1.0-RELEASE, which resolves this issue ( SDNC-537 - Getting issue details... STATUS )

sdnc/apps@stipsan/uikitNot enough info in problem description to identify fixed versionNot enough info in problem description to identify fixed version
sdnc/oamexpressFALSE POSITIVE - only applies to older versions of node.js, < 0.9.4. We are using version 4.2.6None needed
sdnc/oamforwardedFALSE POSITIVE - this code would not be executed in DG builder (it's included as part of base NodeRed platform, but not used)None needed
sdnc/oamfreshFALSE POSITIVE - this code would not be executed in DG builder (it's included as part of base NodeRed platform, but not used)None needed
sdnc/appshandlebarsInherited from swaggerMust be addressed in upstream swagger
sdnc/oamjqueryFALSE POSITIVE - the vulnerable functionality is not usedNone needed
sdnc/oamjqueryFALSE POSITIVE - the vulnerable functionality is not usedNone needed
sdnc/oamjqueryFALSE POSITIVE - the vulnerable functionality is not usedNone needed
sdnc/oamserve-indexFALSE POSITIVE - the vulnerable functionality is not usedNone needed