This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
High-level mitigation plan:
Regarding known issues like “DOS, Remote Code Execution (RCE), CORS attack, HTTP request smuggling”, the Portal’s code is not exposing these vulnerabilities directly due to many layers of encapsulation by APIs, so these are most likely false positives reported by NexusIQ scan, however to be on safe side the mitigation plan is to deploy Portal platform in a secure environment e.g. in private network inside the company firewall.
Repository | Group | Impact Analysis | Action |
---|---|---|---|
portal | com.fasterxml.jackson.core | False positive. Analysis: This vulnerability is not exposed from the portal’s code, because
Spring version 4.2.3 will take care of this. Comments from Nexus-IQ: Spring Security has provided their own fix for this vulnerability (CVE-2017-4995). If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. | Not vulnerable in ONAP |
portal | moments moment 2.1.0 | All available versions of moment.js are vulnerable. Upgrade is not an option. Analysis: Not vulnerable as all our date fields are reformatted and validated before being submitted. See below CVE 185 information: The moment package is vulnerable to Regular Expression Denial of Service (ReDoS). The monthsShortRegex(),monthsRegex(),weekdaysRegex(),weekdaysShortRegex(), and weekdaysMinRegex() functions in the moment.js, moment-with-locales.js, and regex.js files use a vulnerable regular expression while parsing the date input. A remote attacker can exploit this vulnerability by crafting a date input containing a very long sequence of repetitive characters which, when parsed, consumes available CPU resources and results in Denial Of Service. | upgrade tomoment 2.11.2+ |
portal, portal-sdk | elasticsearch : 2.2.0 | Description from CVEElasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.Explanation
| upgrade of Elasticsearch Alerting and Monitoring to versions after 6.4.1 or 5.6.12 |
portal, portal-sdk | angular | Analysis: Cannot upgrade angular as this will require changes on all the Portal pages. From our analysis the vulnerability cannot be exploited because the portal application follows the below design recommendations provided by nexus-iq report. Recommendation by nexus-iq for this vulnerability (SONATYPE-2016-0064): It's best to design your application in such a way that users cannot change client-side templates.
| Not vulnerable in ONAP |
portal, portal-sdk | angular-sanitize 1.5.0 | Explanation AngularJS is vulnerable to Cross-Site Scripting (XSS). The The application is vulnerable by using this component only when | We will perform the upgrade along with angular.js. in further versions by default, the svgEnabled is set to false, so upgrade should be considered to 1.5+. |
portal | org.webjars.bower | Explanation The AngularJS framework is vulnerable to Remote Code Execution (RCE) and Cross-Site Scripting (XSS). The Recommendation
| Should be the same comments as for angular.js. We will perform the upgrade along with angular.js. |
portal | commons-beanutils | All available versions of common-beanutils are vulnerable. Upgrade is not an option. Analysis: The portal code do not use classloader so it is not vulnerable in ONAP. CVE CWE: 20 | Not vulnerable in ONAP |
portal-sdk | org.apache.poi | Analysis: Not vulnerable as we do not use POI to read documents. We use only to generate XLS from our own data. CVE CWE:399: Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295). | Not vulnerable in ONAP |
portal, portal-sdk | org.springframework | Request exception | |
portal-sdk | io.netty | Not clear what is the issue based on the Nexus IQ report information. | Request exception |
portal, portal-sdk | commons-fileupload | Target fix in Dublin release | |
portal-sdk | xerces | Request exception | |
portal-sdk | bootstrap | There is no non vulnerable version of this package. | Request exception |
portal, portal-sdk | org.bouncycastle | we will try to handle them in Dublin release based on the resource availability and priority | |
portal | org.codehaus.groovy | we will try to handle them in Dublin release based on the resource availability and priority | |
portal | org.eclipse.jetty jetty-util | we will try to handle them in Dublin release based on the resource availability and priority; Will upgrade to 9.2.14.v20151106: or will disable http1.1 | |
portal, portal-sdk | org.apache.lucene | we will try to handle them in Dublin release | |
portal | org.apache.tomcat.embed tomcat-embed-core : 8.5.28: | The configuration for CorsFilter needs to change. We will change the urlPattern in web.xml for CorsFilter from * to *onap* | |
portal | org.apache.cxf | False positive We do not use the below code, which is vulnerable. System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); | Not Vulnerable |
portal | org.hibernate | we will try to handle them in Dublin release based on the resource availability and priority | |
portal, portal-sdk | c3p0 : 0.9.5.2 | c3p0-0.9.5.2.jar The c3p0 component is vulnerable to XML eXternal Entity (XXE) attacks. | Will upgrade to 0.9.5.3. Dublin + |
portal | postgresql-9.1-901-1.jdbc4.jar | Description from CVEA weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.Explanation The | Remove this lib. May not be used anymore. |