Hey Steve,
  When are the dates for RC0,RC1 (If you have a calendar link, I don’t have 

  My current efforts are

  1.  Sonar to report AAF accurately (what is left is getting “Coverage” 
numbers… we had some improvement just this morning… nice to have headway)
  2.  Getting the AAF Beijing release working in Winriver VMs.
  3.  Getting the best Cassandra,J2EE and Mailer versions that eliminate/limit 
Security issues from dependent libraries.

  When those are working, I’ll be able to swing around and see what we can do 
on those other elements.

  Do you happen to know if anybody else uses Bouncey Castle, and if there are 
better versions out there without the security issues?  That might be a good 

  In terms of Vulnerability, Bouncey Castle is used exclusively to help 
facilitate Certificate Creation. (AAF Certman).  It is not in any of the 
Service, GUI, Locate, etc components.

Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  

From: Stephen Terrill <stephen.terr...@ericsson.com>
Date: Tuesday, April 3, 2018 at 9:26 AM
To: "GATHMAN, JONATHAN C" <jg1...@att.com>
Cc: "onap-sec...@lists.onap.org" <onap-sec...@lists.onap.org>, onap-tsc 
<onap-tsc@lists.onap.org>, RAMPRASAD KOYA <rk5...@att.com>, "GANDHAM, SAI" 
<sg4...@att.com>, "ZWARICO, AMY" <az9...@att.com>
Subject: RE: Known vulnerability analysis of AAF

Hi Jonathan,

Thanks for the reply.  It would be good to know:

  *   Do you think that this will be done by RC0, RC1….?
  *   If it turns out you can’t replace the version, it would be good to what 
exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is not 
exposed due to the way that ONAP uses the components.



From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill <stephen.terr...@ericsson.com>
Cc: onap-sec...@lists.onap.org; onap-tsc <onap-tsc@lists.onap.org>; KOYA, 
RAMPRASAD <rk5...@att.com>; GANDHAM, SAI <sg4...@att.com>; ZWARICO, AMY 
Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  

From: RAMPRASAD KOYA <rk5...@att.com<mailto:rk5...@att.com>>
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
<stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>, "GATHMAN, 
JONATHAN C" <jg1...@att.com<mailto:jg1...@att.com>>, "GANDHAM, SAI" 
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
<onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>>, onap-tsc 
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD <rk5...@att.com<mailto:rk5...@att.com>>
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc 
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 

I note that the actions are still work in progress – do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,


[Image removed by sender. 
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515

[Image removed by sender. 

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 

ONAP-TSC mailing list

Reply via email to