Stephen We have update the wiki page for ONAP Portal security template to address your comments from the TSC meeting. Please review.
https://wiki.onap.org/pages/viewpage.action?pageId=27689089 Thanks Farhan From: Stephen Terrill [mailto:[email protected]] Sent: Wednesday, April 04, 2018 4:21 PM To: TALASILA, MANOOP (MANOOP) <[email protected]> Cc: [email protected]; onap-tsc <[email protected]>; TATTAVARADA, SUNDER (SUNDER) <[email protected]>; MIR, FARHAN N (FARHAN) <[email protected]>; FAZAL, ABBAS M (ABBAS) <[email protected]> Subject: RE: Known vulnerability analysis of Portal Thank-you Manoop. Could you please update the template accordingly. Best Regards, Steve. From: TALASILA, MANOOP (MANOOP) [mailto:[email protected]] Sent: Wednesday, April 04, 2018 9:20 PM To: Stephen Terrill <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; onap-tsc <[email protected]<mailto:[email protected]>>; TATTAVARADA, SUNDER (SUNDER) <[email protected]<mailto:[email protected]>>; MIR, FARHAN N (FARHAN) <[email protected]<mailto:[email protected]>>; FAZAL, ABBAS M (ABBAS) <[email protected]<mailto:[email protected]>> Subject: Re: Known vulnerability analysis of Portal Hi Steve, Please find the responses in-line for Portal. I also updated the wiki page with the below details. Thanks. Manoop From: Stephen Terrill <[email protected]<mailto:[email protected]>> Date: Friday, March 30, 2018 at 4:01 PM To: "TALASILA, MANOOP (MANOOP)" <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, onap-tsc <[email protected]<mailto:[email protected]>> Subject: Known vulnerability analysis of Portal Hi Manoop, I was reviewing the portal known vulnerability analysis – thank-you for providing that (https://wiki.onap.org/pages/viewpage.action?pageId=27689089<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D27689089&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=ViJB72TdGm9NIMh76WAf6gKGuFt0Mgg6mWCokg3kD2c&s=_IetEqKhkrSOLPvqDD1ycSu4022zthRrwPA_ZnjqTEM&e=> ). It is indicated that there are some changes that cannot be done due to the impact (change of all screens). This lead to a few questions: - Did you analyse the impact of the vulnerability if it was exploted? Is there a work-around in our code to avoid the use of it? Analysis: Yes we did analyze the vulnerability, from our analysis the vulnerability cannot be exploited because the portal application follows the below design recommendations provided by nexus-iq report. Recommendation by nexus-iq for this vulnerability (SONATYPE-2016-0064): It's best to design your application in such a way that users cannot change client-side templates. · Do not mix client and server templates · Do not use user input to generate templates dynamically · Do not run user input through $scope.$eval (or any of the other expression parsing functions listed above) · Consider using {@link ng.directive:ngCsp CSP} (but don't rely only on CSP) Action: In following releases, we are planning to upgrade to the latest angular versions to address this vulnerability. - Regarding Jackson mapper, are you using it in such a way it in such a way that it exposes the vulnerabilities (see: https://wiki.onap.org/pages/viewpage.action?pageId=25439016<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D25439016&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=ViJB72TdGm9NIMh76WAf6gKGuFt0Mgg6mWCokg3kD2c&s=EREm3rbFyxqbHiHtKh5Ksi9pTDKUNA5EL0i_oiZIltM&e=>). Analysis: This vulnerability is not exposed from the portal’s code, because 1. The portal does not pass any untrusted data for deserialization, as there is XSS/XSRF validation enabled in the portal’s backend code. 2. and the default typing (ObjectMapper.setDefaultTyping()) is not called as we use concrete java types. 3. and we use Spring Security 4.2.3 as recommended in the nexus-iq report. BR, Steve. [mage removed by sender. Ericsson]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=ViJB72TdGm9NIMh76WAf6gKGuFt0Mgg6mWCokg3kD2c&s=hodvHbyBuYWjjMhyhcCejAmJGB7MXW6Q2TZiuU4gugk&e=> STEPHEN TERRILL Technology Specialist POA Architecture and Solutions Business Unit Digital Services Ericsson Ericsson R&D Center, via de los Poblados 13 28033, Madrid, Spain Phone +34 339 3005 Mobile +34 609 168 515 [email protected]<mailto:[email protected]> www.ericsson.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com&d=DwQFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=ViJB72TdGm9NIMh76WAf6gKGuFt0Mgg6mWCokg3kD2c&s=bW0tD7Vhz-ZmrkLNhRXr0mRtOywt9dfM4601nKOuJnM&e=> [mage removed by sender. http://www.ericsson.com/current_campaign]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_current-5Fcampaign&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=ViJB72TdGm9NIMh76WAf6gKGuFt0Mgg6mWCokg3kD2c&s=SaJMS2S0GqnSEw-V9YH0EitbB5NFcPv5M3pDjqa6KYg&e=> Legal entity: Ericsson España S.A, compay registration number ESA288568603. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_email-5Fdisclaimer&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=WrNqy1qTY6qs8trIiLe-U2OvGp0SXnE4nO3a-LJ-q_w&m=ViJB72TdGm9NIMh76WAf6gKGuFt0Mgg6mWCokg3kD2c&s=InA4JGkC4Qwcf4_UVmcfTdyQf8WINEE29b3cPkOsH60&e=>
_______________________________________________ ONAP-TSC mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-tsc
