This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| vnfsdk-functest | com.fasterxml.jackson.core | N/A | Ineffective | Yes |
Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization. | There is no non vulnerable version of this component. Do not use the default typing. |
| vnfsdk-functest | com.fasterxml.jackson.core | CVE-2019-12086 | Ineffective | Yes | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. The jackson-databind component contains an Insecure Deserialization Vulnerability. The validateSubType() function in the SubTypeValidator class allows untrusted input to be deserialized as a com.mysql.cj.jdbc.admin.MiniAdmin instance. A remote attacker can exploit this behavior by submitting a crafted JSON payload to a deserializing endpoint that uses jackson-databind. The attacker's deserialized Java object may then create a connection with an attacker controlled MySql server. When running a mysql-connector-java jar versioned 8.0.14 and earlier, the attacker's MySql server may read arbitrary files accessible by the vulnerable application when the connection is established. The application is vulnerable by using this component if a mysql-connector-java jar versioned 8.0.14 or lower is in the classpath while Default Typing is enabled. | There is no non vulnerable version of this component. Do not use the default typing. |
| vnfsdk-functest | com.github.roskart.dropwizard-jaxws | CVE-2019-14379 | Ineffective | Yes | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution. The jackson-databind package is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects, such as net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup, to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component if default typing is enabled, ehcache exists on the classpath, and if it deserializes untrusted data. | The code comes in through a 3rd party dependency, but isn't used in VNFSDK. |
| vnfsdk-functest | com.github.roskart.dropwizard-jaxws | CVE-2019-14439 | Ineffective | Yes | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. The jackson-databind package is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects, such as ch.qos.logback.core.db.JNDIConnectionSource, to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component if default typing is enabled, logback exists on the classpath, and if it deserializes untrusted data. | The code comes in through a 3rd party dependency but isn't used in VNFSDK. |
| vnfsdk-functest | com.github.roskart.dropwizard-jaxws | N/A | Ineffective | Yes | jackson-databind is vulnerable to Remote Code Execution (RCE). The createBeanDeserializer() function in the BeanDeserializerFactory class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization. | The code comes in through a 3rd party dependency but isn't used in VNFSDK. |
| vnfsdk-functest | com.github.roskart.dropwizard-jaxws | CVE-2018-14335 | Ineffective | Yes | An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file. The h2 database is vulnerable to improper access control. The Backup class allows an attacker with existing shell access to submit a POST request that creates a backup copy of any file readable by the h2 database. The created backup file is readable by the attacker which results in information disclosure of protected files. | The code comes in through a 3rd party dependency but isn't used in VNFSDK. |
| vnfsdk-functest | com.github.roskart.dropwizard-jaxws | N/A | Ineffective | Yes | JavaMail is vulnerable to Information Exposure. The getUniqueMessageIDValue() method in the UniqueValue class file appends the username and the hostname of the Java process when generating the Message-Id for an email. This can lead to unintended information leakage in the email headers and potentially lead to security issues. | The code comes in through a 3rd party dependency but isn't used in VNFSDK. |
| vnfsdk-functest | org.eclipse.jetty | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Plan to upgrade the new version in F release. |
| vnfsdk-functest | org.eclipse.jetty | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. | Plan to upgrade the new version in F release. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| vnfsdk-refrepo | com.fasterxml.jackson.core | CVE-2018-11307 | Ineffective | Yes | An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. jackson-databind is vulnerable to Information Exposure via Deserialization of Untrusted Data. The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object which will result in the exfiltration of sensitive information if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | Plan to upgrade to Gson in F release. |
| vnfsdk-refrepo | com.fasterxml.jackson.core | CVE-2018-12022 | Ineffective | Yes | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | Plan to upgrade to Gson in F release. |
| vnfsdk-refrepo | com.fasterxml.jackson.core | CVE-2018-12023 | Ineffective | Yes | An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | Plan to upgrade to Gson in F release. |
| vnfsdk-refrepo | io.netty | CVE-2019-9512 | Effective | No | Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-refrepo | io.netty | CVE-2019-9514 | Effective | No | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-refrepo | io.netty | CVE-2019-9515 | Effective | No | Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-refrepo | io.netty | CVE-2019-9518 | Effective | No | Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-refrepo | org.eclipse.jetty | CVE-2018-12545 | Ineffective | Yes | In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. | Plan to upgrade jetty version |
| vnfsdk-refrepo | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | This is not a direct dependency, but is inherited from commons-http-client. Plan to use http-client instead. |
| vnfsdk-refrepo | org.eclipse.jetty | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Plan to upgrade jetty version |
| vnfsdk-refrepo | org.eclipse.jetty | CVE-2019-10247 | Ineffective | Yes | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. The jetty package is vulnerable to sensitive Information Exposure. The handle() method of the DefaultHandler.class file discloses sensitive information via the context object. The method outputs the value of context.toString() within the error responses which will reveal the base resource path of each context. | Plan to upgrade jetty version |
| vnfsdk-refrepo | org.eclipse.jetty | CVE-2019-10241 | Ineffective | Yes | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | Plan to upgrade jetty version |
| vnfsdk-refrepo | org.eclipse.jetty | CVE-2019-10246 | Ineffective | Yes | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. The jetty-util package running on Windows is vulnerable to sensitive Information Exposure. The getListHTML() method of the Resource.class file reveals the resource base path as it does not properly generate HTML content and includes the base path in the result. | Plan to upgrade jetty version |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| vnfsdk-validation | com.fasterxml.jackson.core | CVE-2018-7489 | Ineffective | Yes | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | Plan to use Gson instead in F release. |
| vnfsdk-validation | io.netty | CVE-2019-16869 | Effective | No | Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-validation | io.netty | CVE-2019-9512 | Effective | No | Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-validation | io.netty | CVE-2019-9514 | Effective | No | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-validation | io.netty | CVE-2019-9515 | Effective | No | Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-validation | io.netty | CVE-2019-9518 | Effective | No | Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. | This is not a direct dependency, but is inherited from grpc-netty. There is currently no version of grpc-netty that has this fix. |
| vnfsdk-validation | commons-codec | N/A | Ineffective | Yes | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | This is not a direct dependency, but is inherited from commons-http-client. |
| vnfsdk-validation | jline | CVE-2013-2035 | Ineffective | No | Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp. When the custom library path is omitted, HawtJNI Library writes the native libraries as temporary JAR files with predictable file names in /tmp. Taking advantage of the time window between the write and read by HawtJNI, a local attacker could overwrite a temporary JAR file with a malicious version that can result in arbitrary code execution. The application is vulnerable if the custom library path is omitted in the application code. The path is specified by setting a system property. See vulnerability report. | jline is used during the mvn test phase and is not used while vnfsdk service is running. so it is false positive categoty. |