Thank you for the information. Please update the vulnerability analysis in the wiki (https://wiki.onap.org/pages/viewpage.action?pageId=25437810) with this information. Thank you, Amy
From: Yan Yang [mailto:[email protected]] Sent: Tuesday, April 03, 2018 3:05 AM To: ZWARICO, AMY <[email protected]> Cc: 'onap-tsc' <[email protected]>; [email protected] Subject: 答复: ONAP Vulnerability Report - VF-C Hi Amy, Please see my response to your question below Best Regards, Yan 发件人: ZWARICO, AMY [mailto:[email protected]] 发送时间: 2018年4月1日 3:28 收件人: [email protected]<mailto:[email protected]> 抄送: onap-tsc; [email protected]<mailto:[email protected]> 主题: ONAP Vulnerability Report - VF-C Hi Yan, I was reviewing the Usecase-UI known vulnerability analysis – thank-you for providing that (https://wiki.onap.org/pages/viewpage.action?pageId=25437810<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D25437810&d=DwQFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=1PfZYnz3vSDutCZe8yAePcEtBgPWz7och1wpTVsM0vI&s=EGBXa4v3hSzTNof_2evGpMHcZNZTiUJa2FumIwlBsL8&e=>) 1. Is VF-C using the vulnerable component(s) in commons-httpclient? [Yan]VF-C code don’t use the readRawLine() method in commons-httpclient directly. We plan to replace this jar with Apache HttpComponents, but need some time to update the code and test. 2. Is VF-C using the vulnerable component(s) in jackson-mapper-asl? [Yan] We don’t use Jackson directly and don’t use createBeanDeserializer() function which has the vulnerability. We were unable to find any reference to this Vulnerability 3. Is VF-C using the vulnerable component(s) in xercesImpl? [Yan] About the xercesImpl security issue, we have replaced it with new version and this issue have been solved. Thanks so much, Amy Amy Zwarico, LMTS Chief Security Office / Enterprise Security Support / Cloud Security Services AT&T Services (205) 403-2241 "This e-mail and any files transmitted with it are the property of AT&T, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."
_______________________________________________ ONAP-TSC mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-tsc
