Hi Steve, Thanks for your comment. I've updated the wiki page (https://wiki.onap.org/pages/viewpage.action?pageId=28378623) with the relevant impact on most of the issues. A few issues are still under investigation (marked TBD), as we still try to upgrade as many dependencies to a non-vulnerable version. I'll update again in the next couple of days.
Thanks, Ofir From: Stephen Terrill [mailto:stephen.terr...@ericsson.com] Sent: Monday, April 02, 2018 10:48 AM To: Hemli, Amichai <ah0...@intl.att.com>; Sonsino, Ofir <os0...@intl.att.com> Cc: onap-sec...@lists.onap.org; onap-tsc <onap-tsc@lists.onap.org> Subject: Review of VID known vulnerability analysis Hi Amichai and Ofir, Thank-you for your known vulnerability analysis of vid (https://wiki.onap.org/pages/viewpage.action?pageId=28378623<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D28378623&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=YKrlt1M487Gbcxf6GKUYkdaaJq4RCPChFI2AKdT_bP8&m=jQVc6LZzw-A5udxq-T__3ptoLvVTlyu0FWNxQspL0r0&s=s5wJB8iuBrd9QwinjtslJM8yrBUWPJ7udMocO-ogbqw&e=>). For the vulnerabilities for where there is no fix, do you have an analysis of how VID uses the imported code so that the implications of the risk can be evaluated? For example for the Jackson mapper, see: https://wiki.onap.org/pages/viewpage.action?pageId=25439016<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D25439016&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=YKrlt1M487Gbcxf6GKUYkdaaJq4RCPChFI2AKdT_bP8&m=jQVc6LZzw-A5udxq-T__3ptoLvVTlyu0FWNxQspL0r0&s=csJVO03p-dAJL4gmStzuwVbKCIFaBFhV-Sz5JTGxcws&e=> Best Regards, Steve [Ericsson]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=YKrlt1M487Gbcxf6GKUYkdaaJq4RCPChFI2AKdT_bP8&m=jQVc6LZzw-A5udxq-T__3ptoLvVTlyu0FWNxQspL0r0&s=feX5vLMOpxq88zuZOGOst1A-xGeFmSpOk2pXrxQJEP4&e=> STEPHEN TERRILL Technology Specialist POA Architecture and Solutions Business Unit Digital Services Ericsson Ericsson R&D Center, via de los Poblados 13 28033, Madrid, Spain Phone +34 339 3005 Mobile +34 609 168 515 stephen.terr...@ericsson.com<mailto:stephen.terr...@ericsson.com> www.ericsson.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com&d=DwQFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=YKrlt1M487Gbcxf6GKUYkdaaJq4RCPChFI2AKdT_bP8&m=jQVc6LZzw-A5udxq-T__3ptoLvVTlyu0FWNxQspL0r0&s=x0uHDff8Kjda_dJJKDxtKa5OYpmT8A5JowsjO6Qh7Fk&e=> [http://www.ericsson.com/current_campaign]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_current-5Fcampaign&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=YKrlt1M487Gbcxf6GKUYkdaaJq4RCPChFI2AKdT_bP8&m=jQVc6LZzw-A5udxq-T__3ptoLvVTlyu0FWNxQspL0r0&s=Ub2h7rR1sTYrDkL4F9st3tVlxzrG8M7Llo-Srniy2uQ&e=> Legal entity: Ericsson EspaƱa S.A, compay registration number ESA288568603. This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ericsson.com_email-5Fdisclaimer&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=YKrlt1M487Gbcxf6GKUYkdaaJq4RCPChFI2AKdT_bP8&m=jQVc6LZzw-A5udxq-T__3ptoLvVTlyu0FWNxQspL0r0&s=rliZ2ehY_Hb8rwjANzJXEbyK4DCgvdTcRuI1ZN91X5k&e=>
_______________________________________________ ONAP-TSC mailing list ONAP-TSC@lists.onap.org https://lists.onap.org/mailman/listinfo/onap-tsc
