Re: [onap-tsc] Known vulnerability analysis of AAF

[Kamineni, Kiran K]

I believe appc is using bouncy castle in their code.

https://git.onap.org/appc/tree/appc-adapters/appc-chef-adapter/appc-chef-adapter-bundle/src/main/java/org/onap/appc/adapter/chef/chefclient/impl/Utils.java

-- K i r a n

From: onap-tsc-boun...@lists.onap.org [mailto:onap-tsc-boun...@lists.onap.org] 
On Behalf Of Stephen Terrill
Sent: Tuesday, April 03, 2018 7:51 AM
To: GATHMAN, JONATHAN C 
Cc: onap-sec...@lists.onap.org; GANDHAM, SAI ; KOYA, RAMPRASAD 
; onap-tsc 
Subject: Re: [onap-tsc] Known vulnerability analysis of AAF

Hi Jonathan,

The RC dates are here: 
https://wiki.onap.org/display/DW/Release+Planning#ReleasePlanning-BeijingRelease

I can’t respond to the adoption of bouncy council, but I hope that others could 
kick-in?

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 4:33 PM
To: Stephen Terrill 
>
Cc: onap-sec...@lists.onap.org; onap-tsc 
>; KOYA, RAMPRASAD 
>; GANDHAM, SAI 
>; ZWARICO, AMY 
>
Subject: Re: Known vulnerability analysis of AAF

Hey Steve,
  When are the dates for RC0,RC1 (If you have a calendar link, I don’t have 
that)?

  My current efforts are
1)  Sonar to report AAF accurately (what is left is getting “Coverage” 
numbers… we had some improvement just this morning… nice to have headway)
2)  Getting the AAF Beijing release working in Winriver VMs.
3)  Getting the best Cassandra,J2EE and Mailer versions that 
eliminate/limit Security issues from dependent libraries.

  When those are working, I’ll be able to swing around and see what we can do 
on those other elements.

  Do you happen to know if anybody else uses Bouncey Castle, and if there are 
better versions out there without the security issues?  That might be a good 
approach.

  In terms of Vulnerability, Bouncey Castle is used exclusively to help 
facilitate Certificate Creation. (AAF Certman).  It is not in any of the 
Service, GUI, Locate, etc components.


--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: Stephen Terrill 
>
Date: Tuesday, April 3, 2018 at 9:26 AM
To: "GATHMAN, JONATHAN C" >
Cc: "onap-sec...@lists.onap.org" 
>, onap-tsc 
>, RAMPRASAD KOYA 
>, "GANDHAM, SAI" 
>, "ZWARICO, AMY" 
>
Subject: RE: Known vulnerability analysis of AAF

Hi Jonathan,

Thanks for the reply.  It would be good to know:
-  Do you think that this will be done by RC0, RC1….?
-  If it turns out you can’t replace the version, it would be good to 
what exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is 
not exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
>
Cc: onap-sec...@lists.onap.org; onap-tsc 
>; KOYA, RAMPRASAD 
>; GANDHAM, SAI 
>; ZWARICO, AMY 
>
Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: RAMPRASAD KOYA >
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
>, "GATHMAN, 
JONATHAN C" >, "GANDHAM, SAI" 
>
Cc: 

Re: [onap-tsc] Known vulnerability analysis of AAF

[Stephen Terrill]

Hi Jonathan,

The RC dates are here: 
https://wiki.onap.org/display/DW/Release+Planning#ReleasePlanning-BeijingRelease

I can’t respond to the adoption of bouncy council, but I hope that others could 
kick-in?

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 4:33 PM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-tsc ; KOYA, 
RAMPRASAD ; GANDHAM, SAI ; ZWARICO, AMY 

Subject: Re: Known vulnerability analysis of AAF

Hey Steve,
  When are the dates for RC0,RC1 (If you have a calendar link, I don’t have 
that)?

  My current efforts are

  1.  Sonar to report AAF accurately (what is left is getting “Coverage” 
numbers… we had some improvement just this morning… nice to have headway)
  2.  Getting the AAF Beijing release working in Winriver VMs.
  3.  Getting the best Cassandra,J2EE and Mailer versions that eliminate/limit 
Security issues from dependent libraries.

  When those are working, I’ll be able to swing around and see what we can do 
on those other elements.

  Do you happen to know if anybody else uses Bouncey Castle, and if there are 
better versions out there without the security issues?  That might be a good 
approach.

  In terms of Vulnerability, Bouncey Castle is used exclusively to help 
facilitate Certificate Creation. (AAF Certman).  It is not in any of the 
Service, GUI, Locate, etc components.


--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: Stephen Terrill 
>
Date: Tuesday, April 3, 2018 at 9:26 AM
To: "GATHMAN, JONATHAN C" >
Cc: "onap-sec...@lists.onap.org" 
>, onap-tsc 
>, RAMPRASAD KOYA 
>, "GANDHAM, SAI" 
>, "ZWARICO, AMY" 
>
Subject: RE: Known vulnerability analysis of AAF

Hi Jonathan,

Thanks for the reply.  It would be good to know:

  *   Do you think that this will be done by RC0, RC1….?
  *   If it turns out you can’t replace the version, it would be good to what 
exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is not 
exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
>
Cc: onap-sec...@lists.onap.org; onap-tsc 
>; KOYA, RAMPRASAD 
>; GANDHAM, SAI 
>; ZWARICO, AMY 
>
Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: RAMPRASAD KOYA >
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
>, "GATHMAN, 
JONATHAN C" >, "GANDHAM, SAI" 
>
Cc: "onap-sec...@lists.onap.org" 
>, onap-tsc 
>
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD >
Cc: onap-sec...@lists.onap.org; onap-tsc 
>
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 

Re: [onap-tsc] Known vulnerability analysis of AAF

[Stephen Terrill]

Hi Jonathan,

Thanks for the reply.  It would be good to know:

  *   Do you think that this will be done by RC0, RC1….?
  *   If it turns out you can’t replace the version, it would be good to what 
exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is not 
exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-tsc ; KOYA, 
RAMPRASAD ; GANDHAM, SAI ; ZWARICO, AMY 

Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: RAMPRASAD KOYA >
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
>, "GATHMAN, 
JONATHAN C" >, "GANDHAM, SAI" 
>
Cc: "onap-sec...@lists.onap.org" 
>, onap-tsc 
>
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD >
Cc: onap-sec...@lists.onap.org; onap-tsc 
>
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress – do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Image removed by sender. 
Ericsson]
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[Image removed by sender. 
http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] New TSC Rep For Orange

[Kenny Paul]

This is to inform everyone that Jamil Chawki has re-assigned Orange’s seat on 
the ONAP TSC to Eric Debeau.
I will have all of the necessary changes in place by the end of the day. 

Welcome Eric!

Best Regards, 
-kenny

Kenny Paul, Technical Program Manager, The Linux Foundation
kp...@linuxfoundation.org, 510.766.5945
San Francisco Bay Area, Pacific Time Zone

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] 答复: ONAP Vulnerability Report - VF-C

[Yan Yang]

Hi Amy,

 

Please see my response to your question below

 

Best Regards,

Yan

发件人: ZWARICO, AMY [mailto:az9...@att.com] 
发送时间: 2018年4月1日 3:28
收件人: yangya...@chinamobile.com
抄送: onap-tsc; onap-sec...@lists.onap.org
主题: ONAP Vulnerability Report - VF-C

 

Hi Yan,

I was reviewing the Usecase-UI known vulnerability analysis – thank-you for 
providing that (https://wiki.onap.org/pages/viewpage.action?pageId=25437810)

1.   Is VF-C using the vulnerable component(s) in commons-httpclient?

[Yan]VF-C code don’t use the readRawLine() method in commons-httpclient 
directly. We plan to replace this jar with Apache HttpComponents, but need some 
time to update the code and test. 

2.   Is VF-C using the vulnerable component(s) in jackson-mapper-asl?

   [Yan] We don’t use Jackson directly and don’t use 
createBeanDeserializer() function which has the vulnerability. We were unable 
to find any reference to this Vulnerability 

3.   Is VF-C using the vulnerable component(s) in xercesImpl?

   [Yan]  About the xercesImpl security issue, we have replaced it 
with new version and this issue have been solved.

 

Thanks so much,

Amy

 

​Amy Zwarico, LMTS

Chief Security Office / Enterprise Security Support / Cloud Security Services

AT Services

(205) 403-2241

 

"This e-mail and any files transmitted with it are the property of AT,  and 
are intended solely for the use of the individual or entity to whom this e-mail 
is addressed. If you are not one of the named recipient(s) or otherwise have 
reason to believe that you have received this message in error, please notify 
the sender and delete this message immediately from your electronic device. Any 
other use, retention, dissemination, forwarding, printing, or copying of this 
e-mail is strictly prohibited."

 

 

 

 

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc