Thank you for the update. Please update the vulnerability analysis for CLI at
with this information.
From: Kanagaraj Manickam [mailto:kanagaraj.manic...@huawei.com]
Sent: Monday, April 02, 2018 2:07 AM
To: ZWARICO, AMY <az9...@att.com>
Cc: onap-sec...@lists.onap.org; onap-tsc <email@example.com>
Subject: RE: [onap-tsc] Known vulnerability analysis of CLI
Pls find my answers inline and let me know if additional details required.
Be transparent! Win together !!
This e-mail and its attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed above.
Any use of the information contained herein in any way (including, but not
limited to, total or partial disclosure, reproduction, or dissemination) by
persons other than the intended recipient(s) is prohibited. If you receive
this e-mail in error, please notify the sender by phone or email immediately
and delete it!
From: ZWARICO, AMY [mailto:az9...@att.com]
Sent: Saturday, March 31, 2018 11:34 PM
To: Kanagaraj Manickam
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc
Subject: [onap-tsc] Known vulnerability analysis of CLI
I was reviewing the CLI known vulnerability analysis – thank-you for providing
1. You stated that the use of the commons-codec library in commons-codec
is a False Positive because it is not a direct dependency and is caused via 3rd
party library dependency.
• How did you test this in CLI?
[Kanagaraj M] This library is used by http-client, which is used at the
back-end of cli project. As part of the build, this is being iterated when
cli-vlidation project validates all Beijing clis.
• What package is using commons-codec?
[Kanagaraj M] dependency libaray: httpclient 4.3.5
Used by: cli-validation artifact
• Is there a version of this package that uses the most recent version
of commons-codec (1.11 released in 2017)? Version 1.6 of commons-codec was
released in 2011.
[Kanagaraj M] Yes, but CLI does not directly use this library.
2. The CVE for jline 1.8 indicates that the vulnerability is in hawtjni.
• How did you test that
not used in jline?
[Kanagaraj M] Jline is 3rd party library used in CLI at the console access
level where no programming level access is possible. And For attacker, they
need access /tmp for this vulnerability. In ONAP, we provide the console level
access over the browser, where there is no possibility for accessing the file
Thanks so much,
Amy Zwarico, LMTS
Chief Security Office / Enterprise Security Support / Cloud Security Services
"This e-mail and any files transmitted with it are the property of AT&T, and
are intended solely for the use of the individual or entity to whom this e-mail
is addressed. If you are not one of the named recipient(s) or otherwise have
reason to believe that you have received this message in error, please notify
the sender and delete this message immediately from your electronic device. Any
other use, retention, dissemination, forwarding, printing, or copying of this
e-mail is strictly prohibited."
ONAP-TSC mailing list