Dear TSC, As requested during last TSC call, I would like to brief the security vulnerability issue of multicloud-azure component.
Background: Given the ONAP architecture, multicloud services are all internal services which are typically utilized by other ONAP components (SO, OOF, VFC, APPC). multicloud-azure component is a plugin service in multicloud which mediate azure cloud to ONAP. It is deployed on demand and runs as a standalone service as well. This plugin service has been introduced since Beijing release, and gone through Casablanca and Dublin Releases (with sonar coverage waiver). Now there are security issues to be scrutinized (and resolved if applicable) , but we are lacking of resource to commit to help on that. Reported security issues: Multicloud-azure is based on python 2 and Django framework and utilize several python packages. The following packages are reported with security issue: Django 1.9.6 azure-common 1.1.14 djangorestframework 3.3.3 httplib2 0.9.2 requests 2.14.0 However, that does not imply the multicloud-azure component are impacted since there are chances that multicloud-azure does not utilize the API/Fucntionality of those package which result in security issue. Hence we need further investigation to multicloud-azure source code to figure out whether or not the reported security issue are false positive here. I believe the clm report are confidential due to some policy, hence not public available to community, but the detail of those reported security issue are public available , so I copied the links and share them with our team member as below. Hopefully someone would like to help if not too overwhelming. For those having the permission to view the report, here is the link: https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/applicationReport/onap-multicloud-azure/1dbdc9b12f3f4f21b0d8f1b92f919e57/policy The repo is : https://gerrit.onap.org/r/admin/repos/multicloud/azure The released docker images: onap/multicloud/azure Thanks Public links to the reported security issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18074 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9014 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14574 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14042 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8331 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14042 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7536 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781 There are bunch of sonartype issues which I cannot find out the public links : https://community.sonatype.com/t/sonatype-2019-0115-primefaces-issue/1915 sonatype-2014-0026 Django (py2.py3-none-any) 1.9.6 (.whl) Open sonatype-2016-0107 Django (py2.py3-none-any) 1.9.6 (.whl) Open sonatype-2019-0133 Django (py2.py3-none-any) 1.9.6 (.whl) Open sonatype-2016-0610 Django 1.9.6 (.tar.gz) Open sonatype-2019-0280 djangorestframework (py2.py3-none-any) 3.3.3 (.whl) Open sonatype-2017-0050 Django (py2.py3-none-any) 1.9.6 (.whl) Open sonatype-2017-0051 Django (py2.py3-none-any) 1.9.6 (.whl) Open sonatype-2016-0129 djangorestframework (py2.py3-none-any) 3.3.3 (.whl) Open sonatype-2017-0565 httplib2 0.9.2 (.tar.gz) Open Best Regards, Bin Yang, Solution Engineering Team, Wind River ONAP Multi-VIM/Cloud PTL Direct +86,10,84777126 Mobile +86,13811391682 Fax +86,10,64398189 Skype: yangbincs993 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5378): https://lists.onap.org/g/onap-tsc/message/5378 Mute This Topic: https://lists.onap.org/mt/33029994/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
