Have updated. 


Best Regards,


发件人: ZWARICO, AMY [mailto:az9...@att.com] 
发送时间: 2018年4月5日 2:41
收件人: Yan Yang
抄送: 'onap-tsc'; onap-sec...@lists.onap.org
主题: RE: ONAP Vulnerability Report - VF-C


Thank you for the information. Please update the vulnerability analysis in the 
wiki (https://wiki.onap.org/pages/viewpage.action?pageId=25437810) with this 

Thank you, Amy


From: Yan Yang [mailto:yangya...@chinamobile.com] 
Sent: Tuesday, April 03, 2018 3:05 AM
To: ZWARICO, AMY <az9...@att.com>
Cc: 'onap-tsc' <onap-tsc@lists.onap.org>; onap-sec...@lists.onap.org
Subject: 答复: ONAP Vulnerability Report - VF-C


Hi Amy,


Please see my response to your question below


Best Regards,


发件人: ZWARICO, AMY [mailto:az9...@att.com] 
发送时间: 2018年4月1日 3:28
收件人: yangya...@chinamobile.com
抄送: onap-tsc; onap-sec...@lists.onap.org
主题: ONAP Vulnerability Report - VF-C


Hi Yan,

I was reviewing the Usecase-UI known vulnerability analysis – thank-you for 
providing that (https://wiki.onap.org/pages/viewpage.action?pageId=25437810 

1.       Is VF-C using the vulnerable component(s) in commons-httpclient?

[Yan]VF-C code don’t use the readRawLine() method in commons-httpclient 
directly. We plan to replace this jar with Apache HttpComponents, but need some 
time to update the code and test. 

2.       Is VF-C using the vulnerable component(s) in jackson-mapper-asl?

               [Yan] We don’t use Jackson directly and don’t use 
createBeanDeserializer() function which has the vulnerability. We were unable 
to find any reference to this Vulnerability 

3.       Is VF-C using the vulnerable component(s) in xercesImpl?

               [Yan]  About the xercesImpl security issue, we have replaced it 
with new version and this issue have been solved.


Thanks so much,



​​​​​Amy Zwarico, LMTS

Chief Security Office / Enterprise Security Support / Cloud Security Services

AT&T Services

(205) 403-2241


"This e-mail and any files transmitted with it are the property of AT&T,  and 
are intended solely for the use of the individual or entity to whom this e-mail 
is addressed. If you are not one of the named recipient(s) or otherwise have 
reason to believe that you have received this message in error, please notify 
the sender and delete this message immediately from your electronic device. Any 
other use, retention, dissemination, forwarding, printing, or copying of this 
e-mail is strictly prohibited."





ONAP-TSC mailing list

Reply via email to