SECCOM recommendation for the El Alto Release


Amy Zwarico
 

One the Monday, 21 October PTL call, Catherine Lefevre requested a formal SECCOM recommendation for the El Alto release based on the KPI data presented. On today’s SECCOM call (22 October) we reached agreement that the ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

      SDNC portal must be disabled by default

      All ONAP CVEs for the SDNC remote code execution vulnerability must be documented.

 

The analysis that led to this recommendation is documented below. If you have any questions, you can contact Krzysztof Opasiak or me.

      SECCOM recommendation to TSC about El Alto security status based on KPIs for the release

-          ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

      SDNC portal must be disabled by default

      All ONAP CVEs for the SDNC remote code execution vulnerability must be documented

-          OJSI Tickets

      21 HTTP ports remain

      12 CVEs closed

      7 CVEs in progress

      3 SDNC remote code execution CVEs are blocking for the release (https://jira.onap.org/browse/OJSI-41 (CVE-2019-12132), https://jira.onap.org/browse/OJSI-42 (CVE-2019-12123), https://jira.onap.org/browse/OJSI-199 (CVE-2019-12112)

      7 CVEs with no action

      11 remaining unresolved CVEs are not blocking

-          CII Badging

      Significant improvement in overall badging

      Some projects lagging on badging activity

      CII Badging is not blocking for the release

-          Vulnerability Review Tables

      Vulnerability analysis is nearly complete, projects made progress on closing vulnerabilities in El Alto

      Vulnerability Review Tables is not blocking for the release

-          Recommendation from SECCOM: Add the status of the inactive projects to the release documentation by including the last commit date in each vulnerability review page

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 

Join onap-seccom@lists.onap.org to automatically receive all group messages.