This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Impact Analysis | Action |
|---|---|---|---|
| com.fasterxml.jackson.core | False Positive - The application is vulnerable by using this component, when default typing is enabled. Message Router does not use the default typing, so using the jackson-databind will not make message router vulnerable. | |
| com.fasterxml.jackson.org | AAI should attempt to upgrade this component. | AAI-2431 - Getting issue details... STATUS |
| org.apache.tomcat.embed | A dependency of Spring boot 1.5.20.RELEASE, which is the most current version. This is a false positive since the ONAP demo is not intended to run on Windows; for those clients who choose to deploy these services on Windows we recommend setting enableCmdLineArguments to false. | |
| org.springframework | A dependency of an older version of the aai-common libraries. | AAI-2419 - Getting issue details... STATUS |
| commons-codec | A child dependency of Janusgraph. Plan is to upgrade to newer janusgraph, but even the latest version uses this component for which there is no non-vulnerable version. AAI doesn't call the methods described in the CVE directly. | AAI-2420 - Getting issue details... STATUS |
| org.eclipse.jetty | False positive. Our services do not allow listing of directory contents. | |
| org.eclipse.jetty | A dependency of Spring boot 1.5.20.RELEASE, which is the most current version. This is a false positive since the ONAP demo is not intended to run on Windows; for those clients who choose to deploy these services on Windows we recommend to not use DefaultServlet or ResourceHandler providing directory content listings. | |
| org.eclipse.jetty | False positive. Our services do not allow listing of directory contents. | |
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply. |
|
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the resources code bases are not using either approach, so the possibility of the exploit vector does not apply. | |
| org.codehaus.jackson | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | |
| com.fasterxml.jackson.core | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the search service is not using either approach, so the possibility of the exploit vector does not apply. | |
| com.fasterxml.jackson.core | False Positive Explanation: This vulnerability issue only exists if com.fasterxml.jackson.databind.ObjectMapper.setDefaultTyping() is called before it is used for deserialization. esr-server doesn't invoke this method, esr-server use new Gson().fromJson(String json, Obj.class) and new Gson().toJson(obj) to deserialization and serialization. https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization In esr-server, Gson is used to deserialization and serialization: | |
| org.apache.activemq | Issue is a false positive. This vulnerability is dependent on XalanXPathEvaluator.java using an insecure or absent document parser. AAI is not using this class. | AAI-1931 - Getting issue details... STATUS |
| org.apache.activemq | Users should make sure the environment is secure to prevent possible MITM attacks between AAI and other ONAP services in the k8 cluster | AAI-2442 - Getting issue details... STATUS |
| org.apache.activemq | Issue is a false positive. This vulnerability is dependent on XalanXPathEvaluator.java using an insecure or absent document parser. AAI is not using this class. | |
| org.webjars.npm bootstrap | False positive. The data-target attribute in bootstrap.js interprets encoded HTML entities as standard HTML entities when data-target is based on user supplied input. data-target attribute is not used | Helpdesk ticket 54851 |
| org.webjars.npm bootstrap | False positive. The show()function in the tooltip.js file allows HTML and scripts in the data-container tooltip attribute values in the DOM elements without proper sanitization. The show() function is not used | |
| com.google.guava | This dependency is a child dependency of Cassandra which is required for the graphdb; newer versions of Cassandra do not upgrade to a non-vulnerable version of this depedency. Guava is vulnerable to Denial of Service (DoS) when untrusted input is supplied to the AtomicDoubleArray and CompoundOrdering classes - AAI doesn't depend on guava to do this anywhere. Non-vulnerable versions of guava are not backward compatible with the version used by Cassandra | |
| aai/data-router | com.google.guava | This dependency is a child dependency of Cassandra which is required for the graphdb; newer versions of Cassandra do not upgrade to a non-vulnerable version of this depedency. Guava is vulnerable to Denial of Service (DoS) when untrusted input is supplied to the AtomicDoubleArray and CompoundOrdering classes - AAI doesn't depend on guava to do this anywhere. Non-vulnerable versions of guava are not backward compatible with the version used by Cassandra | |
| aai/search-data-service | com.google.guava | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. | |
| aai/search-data-service | com.googlecode.libphonenumber | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. AAI is not vulnerable to this issue in the dependency, it does not use the component in the way described. | |
| aai/search-data-service | javax.mail | A dependency of a child dependency, json-schema-validator. Even the latest version of json-schema-validator does not have the required fix version for the above components. AAI is not vulnerable to this issue in the dependency, it does not use the component in the way described. | |
| aai/search-data-service | org.springframework.security | Search data service is not vulnerable to the exploit vectors because it does not perform the functions outlined in the report. | AAI-1895 - Getting issue details... STATUS |
| aai/esr-server | com.smoketurner.dropwizard | False Positive. The exploit primarily is about enabling polymorphic type handling with the object mapper and writing class specifics into the JSON object. There are two ways of doing this:
By default the ObjectMapper does not enableDefaultTyping, the code base is not using either approach, so the possibility of the exploit vector does not apply. | AAI-1970 - Getting issue details... STATUS |
| com.rabbitmq | False positive. Event client in ONAP only uses DMaaP so the rabbitmq dependencies are never used. | AAI-1905 - Getting issue details... STATUS |
| org.apache.tomcat | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | AAI-1967 - Getting issue details... STATUS |
| org.apache.tomcat | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | |
| org.apache.tomcat | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | |
| bootstrap | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | |
| jquery | ESR GUI is vulnerable. Implementors should secure the system to prevent exploits. | AAI-2347 - Getting issue details... STATUS |
| org.apache.libthrift | False positive. This version of ilbthrift is a dependency of titan/cassandra and janus/cassandra. Users should take note of this if they decide to enable SASL, but we do not ship it with the demo. | AAI-2186 - Getting issue details... STATUS |
| org.apache.zookeeper | False positive for ONAP as deployed. AAI is deployed with Janus on Cassandra, if users implement champ and choose hbase they should take steps to disable client-initiated renegotiation https://github.com/apache/zookeeper/pull/710 | AAI-2189 - Getting issue details... STATUS |
| ch.qos.logback | EELF dependency, upgrade to 1.0.1-oss | |
aai/router-core | org.eclipse.jetty | Tried to upgrade jetty; at the time in the nexusiq report this looked clean but evidently it's not. In any event, this is a false positive, the application doesn't use this component in the application server; these utils are only used locally. | AAI-2246 - Getting issue details... STATUS |
| aai/sparky-be | commons-fileupload | Part of portal sdk 2.5.0 | AAI-2250 - Getting issue details... STATUS |
| aai/sparky-be | org.owasp.antisamy | Part of portal sdk 2.5.0 | AAI-2250 - Getting issue details... STATUS |
| aai/sparky-be | org.owasp.esapi | Part of portal sdk 2.5.0 | AAI-2250 - Getting issue details... STATUS |
| commons-fileupload | Imported by ring; investigating whether there is an upgrade available. Chameleon could be vulnerable to denial of service exploit and implementors should secure the system to prevent it. | AAI-1903 - Getting issue details... STATUS |
| aai/gallifrey | io.netty | Consider upgrading. From CT Paterson: "The netty dependency is pulled in from RethinkDB. We're currently testing an update to gallifrey that will move to Cassandra as a storage backend and drop RethinkDB support. This should resolve the issue." | AAI-2256 - Getting issue details... STATUS |
| aai/esr-server | com.fasterxml.jackson.datatype | ESR is vulnerable. Implementors should secure the system to prevent DDOS attacks. | AAI-2258 - Getting issue details... STATUS |
| aai/esr-server | org.eclipse.jetty | ESR is vulnerable. Implementors should secure the system to prevent DDOS attacks. | |
| aai/router-core | ch.qos.logback | Update to latest aai-common | AAI-2344 - Getting issue details... STATUS |
| aai/champ | io.netty | AAI is not configured with hbase in the demo so this is not applicable. Operators who use champ and configure hbase should use care on this item. | |
| org.apache.tomcat.embed | Update to spring-boot 1.5.20 is the right path, but we cannot since 1.5.20 doesn't support 2-way TLS the way it is done in ONAP | AAI-2421 - Getting issue details... STATUS |
| org.apache.camel | False positive. createFileName() is never used | |
| org.apache.cxf | False postiive. in data-router, java.protocol.handler.pkgs system property is not set to com.sun.net.ssl.internal.www.protocol. | |
| org.springframework.security | Upgrade spring-security | AAI-2443 - Getting issue details... STATUS |
| com.squareup.okhttp3 | Disputed vulnerability, but users should make sure that MITM attacks are mitigated in their systems |