Re: SECCOM recommendation for the El Alto Release

Catherine LEFEVRE
 

Team ,

 

Just an update – I guess than SDN-C has solved the issue related to “SDNC portal must be disabled by default”

See https://gerrit.onap.org/r/#/c/oom/+/97485/

 

Concerning the second item, additional work is indeed still required

https://docs.onap.org/en/elalto/submodules/sdnc/oam.git/docs/release-notes.html

 

Best regards

Catherine

 

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of ZWARICO, AMY
Sent: Tuesday, October 22, 2019 5:24 PM
To: onap-seccom@...
Subject: [Onap-seccom] SECCOM recommendation for the El Alto Release

 

***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.

One the Monday, 21 October PTL call, Catherine Lefevre requested a formal SECCOM recommendation for the El Alto release based on the KPI data presented. On today’s SECCOM call (22 October) we reached agreement that the ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

        SDNC portal must be disabled by default

        All ONAP CVEs for the SDNC remote code execution vulnerability must be documented.

 

The analysis that led to this recommendation is documented below. If you have any questions, you can contact Krzysztof Opasiak or me.

        SECCOM recommendation to TSC about El Alto security status based on KPIs for the release

-        ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

        SDNC portal must be disabled by default

        All ONAP CVEs for the SDNC remote code execution vulnerability must be documented

-        OJSI Tickets

        21 HTTP ports remain

        12 CVEs closed

        7 CVEs in progress

        3 SDNC remote code execution CVEs are blocking for the release (https://jira.onap.org/browse/OJSI-41 (CVE-2019-12132), https://jira.onap.org/browse/OJSI-42 (CVE-2019-12123), https://jira.onap.org/browse/OJSI-199 (CVE-2019-12112)

        7 CVEs with no action

        11 remaining unresolved CVEs are not blocking

-        CII Badging

        Significant improvement in overall badging

        Some projects lagging on badging activity

        CII Badging is not blocking for the release

-        Vulnerability Review Tables

        Vulnerability analysis is nearly complete, projects made progress on closing vulnerabilities in El Alto

        Vulnerability Review Tables is not blocking for the release

-        Recommendation from SECCOM: Add the status of the inactive projects to the release documentation by including the last commit date in each vulnerability review page

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 

Join onap-seccom@lists.onap.org to automatically receive all group messages.