Topics

SECCOM recommendation for the El Alto Release

Amy Zwarico
 

One the Monday, 21 October PTL call, Catherine Lefevre requested a formal SECCOM recommendation for the El Alto release based on the KPI data presented. On today’s SECCOM call (22 October) we reached agreement that the ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

      SDNC portal must be disabled by default

      All ONAP CVEs for the SDNC remote code execution vulnerability must be documented.

 

The analysis that led to this recommendation is documented below. If you have any questions, you can contact Krzysztof Opasiak or me.

      SECCOM recommendation to TSC about El Alto security status based on KPIs for the release

-          ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

      SDNC portal must be disabled by default

      All ONAP CVEs for the SDNC remote code execution vulnerability must be documented

-          OJSI Tickets

      21 HTTP ports remain

      12 CVEs closed

      7 CVEs in progress

      3 SDNC remote code execution CVEs are blocking for the release (https://jira.onap.org/browse/OJSI-41 (CVE-2019-12132), https://jira.onap.org/browse/OJSI-42 (CVE-2019-12123), https://jira.onap.org/browse/OJSI-199 (CVE-2019-12112)

      7 CVEs with no action

      11 remaining unresolved CVEs are not blocking

-          CII Badging

      Significant improvement in overall badging

      Some projects lagging on badging activity

      CII Badging is not blocking for the release

-          Vulnerability Review Tables

      Vulnerability analysis is nearly complete, projects made progress on closing vulnerabilities in El Alto

      Vulnerability Review Tables is not blocking for the release

-          Recommendation from SECCOM: Add the status of the inactive projects to the release documentation by including the last commit date in each vulnerability review page

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 

Krzysztof Opasiak
 

Hi,

couple of comments from my side:

On 22.10.2019 17:23, Amy Zwarico wrote:
One the Monday, 21 October PTL call, Catherine Lefevre requested a
formal SECCOM recommendation for the El Alto release based on the KPI
data presented. On today’s SECCOM call (22 October) we reached agreement
that the *ONAP El Alto should not be released until the SDNC team
re-enables the remote code execution vulnerability work-around
implemented in Dublin.*

•*SDNC portal must be disabled by default*
*SDNC portal must be disabled by default (replica set 0) unless proper
fixes are provided.


•*All ONAP CVEs for the SDNC remote code execution vulnerability must be
documented*.
Technically they are all documented in release notes for Dublin as known
security issues. By default our release notes are cumulative so as long
as we don't document this as fixed they are unfixed.

But taken into account how serious those vulnerabilities are I believe
that mentioning once again under known security issues in El Alto
release notes would improve our transparency.


The analysis that led to this recommendation is documented below. If you
have any questions, you can contact Krzysztof Opasiak or me.

•SECCOM recommendation to TSC about El Alto security status based on
KPIs for the release

-*ONAP El Alto should not be released until the SDNC team re-enables the
remote code execution vulnerability work-around implemented in Dublin.*
or provide proper fixes;)


•*SDNC portal must be disabled by default*
or just fixed


•*All ONAP CVEs for the SDNC remote code execution vulnerability must be
documented*

-OJSI Tickets

•21 HTTP ports remain

•12 CVEs closed

•7 CVEs in progress

•*3 SDNC remote code execution CVEs are blocking for the
release***(https <https://jira.onap.org/browse/OJSI-41>://
<https://jira.onap.org/browse/OJSI-41>jira.onap.org/browse/OJSI-41
<https://jira.onap.org/browse/OJSI-41> (CVE-2019-12132), https://
<https://jira.onap.org/browse/OJSI-42>jira.onap.org/browse/OJSI-42
<https://jira.onap.org/browse/OJSI-42> (CVE-2019-12123), https://
<https://jira.onap.org/browse/OJSI-199>jira.onap.org/browse/OJSI-199
<https://jira.onap.org/browse/OJSI-199> (CVE-2019-12112)
OJSI-203 - unprotected APIs in SO
OJSI-15 - XSS vulnerabilities in ONAP Portal
OJSI-34 - SQL injections in SDNC
OJSI-174 - SQL injections in Portal

OJSI-203 is the one that I mentioned that SO decided to carry over to
Frankfurt due to resource constraints.

OJSI-15 is a Work in Progress. It's just a significant amount of work
which is not finished yet.

OJSI-34 - to be consulted with SDNC Team but not as severe as the 3 above

OJSI-174 - Dominik worked on this but I'm not sure if he managed to fix
everything by now. Just asked him for an update.


•7 CVEs with no action
OJSI-93 - user impersonation (still lack of proper user management)
OJSI-88 - JDWP exposed on localhost
OJSI-202 - Unprotected APIs in OOM
OJSI-204 - Unprotected APIs in MSB
OJSI-205 - Unprotected APIs in CLI
OJSI-63 - Jolokia in APPC
OJSI-200 - Unprotected APIs in Loging

OJSI-88 and OJSI-63 are not as severe as the 3 from SDNC and I know that
APPC started some work on OJSI-63.


•11 remaining unresolved CVEs are not blocking
Agree.

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics

Catherine LEFEVRE
 

Team ,

 

Just an update – I guess than SDN-C has solved the issue related to “SDNC portal must be disabled by default”

See https://gerrit.onap.org/r/#/c/oom/+/97485/

 

Concerning the second item, additional work is indeed still required

https://docs.onap.org/en/elalto/submodules/sdnc/oam.git/docs/release-notes.html

 

Best regards

Catherine

 

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of ZWARICO, AMY
Sent: Tuesday, October 22, 2019 5:24 PM
To: onap-seccom@...
Subject: [Onap-seccom] SECCOM recommendation for the El Alto Release

 

***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.

One the Monday, 21 October PTL call, Catherine Lefevre requested a formal SECCOM recommendation for the El Alto release based on the KPI data presented. On today’s SECCOM call (22 October) we reached agreement that the ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

        SDNC portal must be disabled by default

        All ONAP CVEs for the SDNC remote code execution vulnerability must be documented.

 

The analysis that led to this recommendation is documented below. If you have any questions, you can contact Krzysztof Opasiak or me.

        SECCOM recommendation to TSC about El Alto security status based on KPIs for the release

-        ONAP El Alto should not be released until the SDNC team re-enables the remote code execution vulnerability work-around implemented in Dublin.

        SDNC portal must be disabled by default

        All ONAP CVEs for the SDNC remote code execution vulnerability must be documented

-        OJSI Tickets

        21 HTTP ports remain

        12 CVEs closed

        7 CVEs in progress

        3 SDNC remote code execution CVEs are blocking for the release (https://jira.onap.org/browse/OJSI-41 (CVE-2019-12132), https://jira.onap.org/browse/OJSI-42 (CVE-2019-12123), https://jira.onap.org/browse/OJSI-199 (CVE-2019-12112)

        7 CVEs with no action

        11 remaining unresolved CVEs are not blocking

-        CII Badging

        Significant improvement in overall badging

        Some projects lagging on badging activity

        CII Badging is not blocking for the release

-        Vulnerability Review Tables

        Vulnerability analysis is nearly complete, projects made progress on closing vulnerabilities in El Alto

        Vulnerability Review Tables is not blocking for the release

-        Recommendation from SECCOM: Add the status of the inactive projects to the release documentation by including the last commit date in each vulnerability review page

 

 

​​​​​Amy Zwarico, LMTS

Chief Security Office / Emerging Services Security

AT&T Services

(205) 613-1667

 

"This e-mail and any files transmitted with it are the property of AT&T,  and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your electronic device. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."

 

Krzysztof Opasiak
 

Hi Catherine,

On 23.10.2019 23:29, Catherine LEFEVRE wrote:
Team ,

Just an update – I guess than SDN-C has solved the issue related to
“SDNC portal must be disabled by default”

See https://gerrit.onap.org/r/#/c/oom/+/97485/

Concerning the second item, additional work is indeed still required

https://docs.onap.org/en/elalto/submodules/sdnc/oam.git/docs/release-notes.html
<https://protect2.fireeye.com/url?k=0a53aa300fa39b12.0a52217f-dc6c53c77789a50b&u=https://docs.onap.org/en/elalto/submodules/sdnc/oam.git/docs/release-notes.html>
The fix for SDNC documentation is already merged:
https://gerrit.onap.org/r/#/c/sdnc/oam/+/97491/

Unfortunately there was some issue with updating doc repo so you don't
see the changes in readthedocs. I've just fixed that but we are still
waiting for jenkins to pickup the rebuild. After that SDNC should be
good to go.

Yesterday I review security release notes in all projects and I'm very
happy with the quality that teams managed to deliver. I've only 3 minor
fixes for those and after they are merged we should be good to go with
all projects:

https://gerrit.onap.org/r/97499
https://gerrit.onap.org/r/97500
https://gerrit.onap.org/r/97502

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics