Good evening Krzystof, Thank you for keeping us informed. We acknowledge your e-mail. We are glad that the issue has been solved.
Best regards Catherine -----Original Message----- From: Krzysztof Opasiak <[email protected]> Sent: Monday, December 2, 2019 10:31 PM To: Lefevre, Catherine <[email protected]> Cc: onap-tsc <[email protected]>; Kenny Paul ([email protected]) <[email protected]>; [email protected]; ZWARICO, AMY <[email protected]>; [email protected] Subject: SSRF Vulnerability in ONAP jira Dear TSC, This is a notification email to ensure a full transparency of ONAP vulnerability management subcommittee. On 28th of November 2019 we ([email protected]) received a report from user identifying himself as "p0desta" on Server Side Request Forgery in ONAP jira instance (jira.onap.org). The vulnerability was previously known and identified as CVE-2019-8451. Official Atlassian ticket related to this vulnerability is: https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.atlassian.com_browse_JRASERVER-2D69793&d=DwICaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=q9jgGjS-k5R1CFjBqGngeqcjjtzrOs-NhKAPhj8y-6Q&s=YxvOOzFzj7yVNyIGV1MNQ3IL6Dm_729VGJArtRBWkJw&e= As the vulnerability is not related to the ONAP itself, but only to the supporting infrastructure we decided to not create a new OJSI ticket nor issue ONAP Security Advisory (OSA) but rather report it directly to the Linux Foundation using a limited visibility service desk ticket: https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.linuxfoundation.org_servicedesk_customer_portal_2_IT-2D18372&d=DwICaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=q9jgGjS-k5R1CFjBqGngeqcjjtzrOs-NhKAPhj8y-6Q&s=zUZan3mC92GUANKP8hgMPZHrr7pZw13d_f71eRAli6w&e= The vulnerability has been fixed today by the Linux Foundation IT support team by performing an upgrade of ONAP jira instance to the version that includes a fix for this security vulnerability. Best regards, -- Krzysztof Opasiak on behalf of the ONAP vulnerability sub-committee Samsung R&D Institute Poland Samsung Electronics -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5733): https://lists.onap.org/g/onap-tsc/message/5733 Mute This Topic: https://lists.onap.org/mt/65207300/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-tsc/leave/2743226/1412191262/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
