Thanks Amy. I updated the wiki with reference to this discussion.

Regards
Kanagaraj M
-------------------------------------
Be transparent! Win together !!

本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from HUAWEI, 
which is intended only for the person  or entity whose address is listed above. 
Any use of the information contained herein in any way (including, but not   
limited to, total or partial disclosure, reproduction, or dissemination) by 
persons other than the intended recipient(s) is  prohibited. If you receive 
this e-mail in error, please notify the sender by phone or email immediately 
and delete it!


From: ZWARICO, AMY [mailto:az9...@att.com]
Sent: Thursday, April 05, 2018 12:07 AM
To: Kanagaraj Manickam
Cc: onap-sec...@lists.onap.org; onap-tsc
Subject: RE: [onap-tsc] Known vulnerability analysis of CLI

Thank you for the update. Please update the vulnerability analysis for CLI at 
(https://wiki.onap.org/pages/viewpage.action?pageId=28377287<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D28377287&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=u7KMFacFJxRdXY7egqaB-H16C2vzyUPDJ9EOUfQFA3s&s=4keHo4Ff2vJWCUU4KuaPPG0hUpsHjKAxgtjB05XjRmw&e=>)
 with this information.

From: Kanagaraj Manickam [mailto:kanagaraj.manic...@huawei.com]
Sent: Monday, April 02, 2018 2:07 AM
To: ZWARICO, AMY <az9...@att.com<mailto:az9...@att.com>>
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc 
<onap-tsc@lists.onap.org<mailto:onap-tsc@lists.onap.org>>
Subject: RE: [onap-tsc] Known vulnerability analysis of CLI

Hi Amy,

Pls find my answers inline and let me know if additional details required. 
Thanks


Regards
Kanagaraj M
-------------------------------------
Be transparent! Win together !!

本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
This e-mail and its attachments contain confidential information from HUAWEI, 
which is intended only for the person  or entity whose address is listed above. 
Any use of the information contained herein in any way (including, but not   
limited to, total or partial disclosure, reproduction, or dissemination) by 
persons other than the intended recipient(s) is  prohibited. If you receive 
this e-mail in error, please notify the sender by phone or email immediately 
and delete it!

From: ZWARICO, AMY [mailto:az9...@att.com]
Sent: Saturday, March 31, 2018 11:34 PM
To: Kanagaraj Manickam
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc
Subject: [onap-tsc] Known vulnerability analysis of CLI

Hi Kanagaraj,
I was reviewing the CLI known vulnerability analysis – thank-you for providing 
that 
(https://wiki.onap.org/pages/viewpage.action?pageId=28377287<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D28377287&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=u7KMFacFJxRdXY7egqaB-H16C2vzyUPDJ9EOUfQFA3s&s=4keHo4Ff2vJWCUU4KuaPPG0hUpsHjKAxgtjB05XjRmw&e=>)

1.       You stated that the use of the commons-codec library in commons-codec 
is a False Positive because it is not a direct dependency and is caused via 3rd 
party library dependency.

•         How did you test this in CLI?

[Kanagaraj M]  This library is used by http-client, which is used at the 
back-end of cli project. As part of the build, this is being iterated when 
cli-vlidation project validates all Beijing clis.

•         What package is using commons-codec?

[Kanagaraj M] dependency libaray: httpclient 4.3.5

Used by: cli-validation artifact



•         Is there a version of this package that uses the most recent version 
of commons-codec (1.11 released in 2017)? Version 1.6 of commons-codec was 
released in 2011.

[Kanagaraj M] Yes, but CLI does not directly use this library.



2.       The CVE for jline 1.8 indicates that the vulnerability is in hawtjni.

•         How did you test that 
hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java  is 
not used in jline?

[Kanagaraj M] Jline is 3rd party library used in CLI at the console access 
level where no programming level access is possible. And For attacker, they 
need access /tmp for this vulnerability. In ONAP, we provide the console level 
access over the browser, where there is no possibility for accessing the file 
system .
.
Thanks so much,
Amy

​​​​​Amy Zwarico, LMTS
Chief Security Office / Enterprise Security Support / Cloud Security Services
AT&T Services
(205) 403-2241

"This e-mail and any files transmitted with it are the property of AT&T,  and 
are intended solely for the use of the individual or entity to whom this e-mail 
is addressed. If you are not one of the named recipient(s) or otherwise have 
reason to believe that you have received this message in error, please notify 
the sender and delete this message immediately from your electronic device. Any 
other use, retention, dissemination, forwarding, printing, or copying of this 
e-mail is strictly prohibited."


_______________________________________________
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Reply via email to