Re: SECCOM recommendation for the El Alto Release
couple of comments from my side:
On 22.10.2019 17:23, Amy Zwarico wrote:
One the Monday, 21 October PTL call, Catherine Lefevre requested a*SDNC portal must be disabled by default (replica set 0) unless proper
fixes are provided.
Technically they are all documented in release notes for Dublin as known
security issues. By default our release notes are cumulative so as long
as we don't document this as fixed they are unfixed.
But taken into account how serious those vulnerabilities are I believe
that mentioning once again under known security issues in El Alto
release notes would improve our transparency.
or provide proper fixes;)
or just fixed
OJSI-203 - unprotected APIs in SO
OJSI-15 - XSS vulnerabilities in ONAP Portal
OJSI-34 - SQL injections in SDNC
OJSI-174 - SQL injections in Portal
OJSI-203 is the one that I mentioned that SO decided to carry over to
Frankfurt due to resource constraints.
OJSI-15 is a Work in Progress. It's just a significant amount of work
which is not finished yet.
OJSI-34 - to be consulted with SDNC Team but not as severe as the 3 above
OJSI-174 - Dominik worked on this but I'm not sure if he managed to fix
everything by now. Just asked him for an update.
OJSI-93 - user impersonation (still lack of proper user management)
OJSI-88 - JDWP exposed on localhost
OJSI-202 - Unprotected APIs in OOM
OJSI-204 - Unprotected APIs in MSB
OJSI-205 - Unprotected APIs in CLI
OJSI-63 - Jolokia in APPC
OJSI-200 - Unprotected APIs in Loging
OJSI-88 and OJSI-63 are not as severe as the 3 from SDNC and I know that
APPC started some work on OJSI-63.
Samsung R&D Institute Poland