Hey Steve, When are the dates for RC0,RC1 (If you have a calendar link, I don’t have that)?
My current efforts are 1. Sonar to report AAF accurately (what is left is getting “Coverage” numbers… we had some improvement just this morning… nice to have headway) 2. Getting the AAF Beijing release working in Winriver VMs. 3. Getting the best Cassandra,J2EE and Mailer versions that eliminate/limit Security issues from dependent libraries. When those are working, I’ll be able to swing around and see what we can do on those other elements. Do you happen to know if anybody else uses Bouncey Castle, and if there are better versions out there without the security issues? That might be a good approach. In terms of Vulnerability, Bouncey Castle is used exclusively to help facilitate Certificate Creation. (AAF Certman). It is not in any of the Service, GUI, Locate, etc components. -- Jonathan Gathman Principled-System Architect ATO Tech Dev/SEAT/Platform Architecture and Technology Management AT&T Services, Inc. 2349 Oaker, Arnold, MO 63010 m 314-550-3312 | jonathan.gath...@us.att.com<mailto:jonathan.gath...@us.att.com> From: Stephen Terrill <stephen.terr...@ericsson.com> Date: Tuesday, April 3, 2018 at 9:26 AM To: "GATHMAN, JONATHAN C" <jg1...@att.com> Cc: "onap-sec...@lists.onap.org" <onap-sec...@lists.onap.org>, onap-tsc <onap-tsc@lists.onap.org>, RAMPRASAD KOYA <rk5...@att.com>, "GANDHAM, SAI" <sg4...@att.com>, "ZWARICO, AMY" <az9...@att.com> Subject: RE: Known vulnerability analysis of AAF Hi Jonathan, Thanks for the reply. It would be good to know: * Do you think that this will be done by RC0, RC1….? * If it turns out you can’t replace the version, it would be good to what exposure ONAP has to the vulnerability. Sometimes it turns out ONAP is not exposed due to the way that ONAP uses the components. BR, Steve From: GATHMAN, JONATHAN C [mailto:jg1...@att.com] Sent: Tuesday, April 03, 2018 2:53 AM To: Stephen Terrill <stephen.terr...@ericsson.com> Cc: onap-sec...@lists.onap.org; onap-tsc <onap-tsc@lists.onap.org>; KOYA, RAMPRASAD <rk5...@att.com>; GANDHAM, SAI <sg4...@att.com>; ZWARICO, AMY <az9...@att.com> Subject: Re: Known vulnerability analysis of AAF Hi Steve, We are using “BounceyCastle” for part of the CA work. I will have to look into whether I can remove easily. Io.netty and org.apache.httpcomponents are derived dependencies from Cassandra. I’m making inquiries as to what Cassandra Versions we can use to get free of License issues as well as whatever flaws you have noted. -- Jonathan Gathman Principled-System Architect ATO Tech Dev/SEAT/Platform Architecture and Technology Management AT&T Services, Inc. 2349 Oaker, Arnold, MO 63010 m 314-550-3312 | jonathan.gath...@us.att.com<mailto:jonathan.gath...@us.att.com> From: RAMPRASAD KOYA <rk5...@att.com<mailto:rk5...@att.com>> Date: Monday, April 2, 2018 at 5:39 PM To: Stephen Terrill <stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com>>, "GATHMAN, JONATHAN C" <jg1...@att.com<mailto:jg1...@att.com>>, "GANDHAM, SAI" <sg4...@att.com<mailto:sg4...@att.com>> Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" <onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>>, onap-tsc <onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>> Subject: RE: Known vulnerability analysis of AAF Sai, Jonathan – Any thoughts on this? From: Stephen Terrill [mailto:stephen.terr...@ericsson.com] Sent: Monday, April 02, 2018 2:59 AM To: KOYA, RAMPRASAD <rk5...@att.com<mailto:rk5...@att.com>> Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc <onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>> Subject: Known vulnerability analysis of AAF Hi Ram, Thanks for the review of the known vulnerabilities for AAF: https://wiki.onap.org/pages/viewpage.action?pageId=28380057<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D28380057&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=Or0_YpjagYRDcwyBx4e_hA&m=m7bec1S9mlFSXfYn-EU9loqPwno_PiLAP_5c_phTUuw&s=U9ikNdWnDgTcZQ-6_8SkfPfbUp4xAun9_XdlhSshM0k&e=> I note that the actions are still work in progress – do you have an estimated time for the analysis. In the analysis, it would be great if you consider whether the way that AAF uses the imported artefacts to be clear on whether AAF is exposed to the vulnerability. Best Regards, Steve [Image removed by sender. Ericsson]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=Or0_YpjagYRDcwyBx4e_hA&m=m7bec1S9mlFSXfYn-EU9loqPwno_PiLAP_5c_phTUuw&s=xXMt5NK9j-a9syrmXv-y-1egMJ0qUr0u9kukYPKguM8&e=> STEPHEN TERRILL Technology Specialist POA Architecture and Solutions Business Unit Digital Services Ericsson Ericsson R&D Center, via de los Poblados 13 28033, Madrid, Spain Phone +34 339 3005 Mobile +34 609 168 515 stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com> www.ericsson.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com&d=DwQFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=Or0_YpjagYRDcwyBx4e_hA&m=m7bec1S9mlFSXfYn-EU9loqPwno_PiLAP_5c_phTUuw&s=_Bai0JhwE2CQkBeSCL4oHQc5t7W3NzMfx9uGyuBy7VM&e=> [Image removed by sender. http://www.ericsson.com/current_campaign]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_current-5Fcampaign&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=Or0_YpjagYRDcwyBx4e_hA&m=m7bec1S9mlFSXfYn-EU9loqPwno_PiLAP_5c_phTUuw&s=N1luyU_lHOndteHzeSgGVPlpOiveSTKzxItR3mPZPwE&e=> Legal entity: Ericsson España S.A, compay registration number ESA288568603. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_email-5Fdisclaimer&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=Or0_YpjagYRDcwyBx4e_hA&m=m7bec1S9mlFSXfYn-EU9loqPwno_PiLAP_5c_phTUuw&s=RarBWYqbNQ3Xaqe79nrk7W1zVT6ScYuGUXnGLilKTrY&e=>
_______________________________________________ ONAP-TSC mailing list ONAP-TSC@lists.onap.org https://lists.onap.org/mailman/listinfo/onap-tsc
