Re: SECCOM recommendation for the El Alto Release

Krzysztof Opasiak
 

Hi,

couple of comments from my side:

On 22.10.2019 17:23, Amy Zwarico wrote:
One the Monday, 21 October PTL call, Catherine Lefevre requested a
formal SECCOM recommendation for the El Alto release based on the KPI
data presented. On today’s SECCOM call (22 October) we reached agreement
that the *ONAP El Alto should not be released until the SDNC team
re-enables the remote code execution vulnerability work-around
implemented in Dublin.*

•*SDNC portal must be disabled by default*
*SDNC portal must be disabled by default (replica set 0) unless proper
fixes are provided.


•*All ONAP CVEs for the SDNC remote code execution vulnerability must be
documented*.
Technically they are all documented in release notes for Dublin as known
security issues. By default our release notes are cumulative so as long
as we don't document this as fixed they are unfixed.

But taken into account how serious those vulnerabilities are I believe
that mentioning once again under known security issues in El Alto
release notes would improve our transparency.


The analysis that led to this recommendation is documented below. If you
have any questions, you can contact Krzysztof Opasiak or me.

•SECCOM recommendation to TSC about El Alto security status based on
KPIs for the release

-*ONAP El Alto should not be released until the SDNC team re-enables the
remote code execution vulnerability work-around implemented in Dublin.*
or provide proper fixes;)


•*SDNC portal must be disabled by default*
or just fixed


•*All ONAP CVEs for the SDNC remote code execution vulnerability must be
documented*

-OJSI Tickets

•21 HTTP ports remain

•12 CVEs closed

•7 CVEs in progress

•*3 SDNC remote code execution CVEs are blocking for the
release***(https <https://jira.onap.org/browse/OJSI-41>://
<https://jira.onap.org/browse/OJSI-41>jira.onap.org/browse/OJSI-41
<https://jira.onap.org/browse/OJSI-41> (CVE-2019-12132), https://
<https://jira.onap.org/browse/OJSI-42>jira.onap.org/browse/OJSI-42
<https://jira.onap.org/browse/OJSI-42> (CVE-2019-12123), https://
<https://jira.onap.org/browse/OJSI-199>jira.onap.org/browse/OJSI-199
<https://jira.onap.org/browse/OJSI-199> (CVE-2019-12112)
OJSI-203 - unprotected APIs in SO
OJSI-15 - XSS vulnerabilities in ONAP Portal
OJSI-34 - SQL injections in SDNC
OJSI-174 - SQL injections in Portal

OJSI-203 is the one that I mentioned that SO decided to carry over to
Frankfurt due to resource constraints.

OJSI-15 is a Work in Progress. It's just a significant amount of work
which is not finished yet.

OJSI-34 - to be consulted with SDNC Team but not as severe as the 3 above

OJSI-174 - Dominik worked on this but I'm not sure if he managed to fix
everything by now. Just asked him for an update.


•7 CVEs with no action
OJSI-93 - user impersonation (still lack of proper user management)
OJSI-88 - JDWP exposed on localhost
OJSI-202 - Unprotected APIs in OOM
OJSI-204 - Unprotected APIs in MSB
OJSI-205 - Unprotected APIs in CLI
OJSI-63 - Jolokia in APPC
OJSI-200 - Unprotected APIs in Loging

OJSI-88 and OJSI-63 are not as severe as the 3 from SDNC and I know that
APPC started some work on OJSI-63.


•11 remaining unresolved CVEs are not blocking
Agree.

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics

Join onap-seccom@lists.onap.org to automatically receive all group messages.