Re: [onap-tsc] Known vulnerability analysis of AAF

[Gildas Lanilis]

Hi Jonathan, All Milestones dates for Beijing are available here 
https://wiki.onap.org/display/DW/Release+Planning

Thanks,
Gildas
ONAP Release Manager
1 415 238 6287

From: onap-tsc-boun...@lists.onap.org [mailto:onap-tsc-boun...@lists.onap.org] 
On Behalf Of GATHMAN, JONATHAN C
Sent: Tuesday, April 03, 2018 7:33 AM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; GANDHAM, SAI ; KOYA, RAMPRASAD 
; onap-tsc 
Subject: Re: [onap-tsc] Known vulnerability analysis of AAF

Hey Steve,
  When are the dates for RC0,RC1 (If you have a calendar link, I don’t have 
that)?

  My current efforts are
1)  Sonar to report AAF accurately (what is left is getting “Coverage” 
numbers… we had some improvement just this morning… nice to have headway)
2)  Getting the AAF Beijing release working in Winriver VMs.
3)  Getting the best Cassandra,J2EE and Mailer versions that 
eliminate/limit Security issues from dependent libraries.

  When those are working, I’ll be able to swing around and see what we can do 
on those other elements.

  Do you happen to know if anybody else uses Bouncey Castle, and if there are 
better versions out there without the security issues?  That might be a good 
approach.

  In terms of Vulnerability, Bouncey Castle is used exclusively to help 
facilitate Certificate Creation. (AAF Certman).  It is not in any of the 
Service, GUI, Locate, etc components.


--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com<mailto:jonathan.gath...@us.att.com>

From: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Date: Tuesday, April 3, 2018 at 9:26 AM
To: "GATHMAN, JONATHAN C" mailto:jg1...@att.com>>
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>, RAMPRASAD KOYA 
mailto:rk5...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>, "ZWARICO, AMY" 
mailto:az9...@att.com>>
Subject: RE: Known vulnerability analysis of AAF

Hi Jonathan,

Thanks for the reply.  It would be good to know:
-  Do you think that this will be done by RC0, RC1….?
-  If it turns out you can’t replace the version, it would be good to 
what exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is 
not exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc 
mailto:onap-tsc@lists.onap.org>>; KOYA, RAMPRASAD 
mailto:rk5...@att.com>>; GANDHAM, SAI 
mailto:sg4...@att.com>>; ZWARICO, AMY 
mailto:az9...@att.com>>
Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com<mailto:jonathan.gath...@us.att.com>

From: RAMPRASAD KOYA mailto:rk5...@att.com>>
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>, "GATHMAN, 
JONATHAN C" mailto:jg1...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD mailto:rk5...@att.com>>
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_pages_viewpage.action-3FpageId-3D28380057&d=DwMFAw&c=LFYZ-o9_HUMeMTSQicvjIg&r=Or0_YpjagYRDcwyBx4e_hA&m=m7bec1S9mlFSXfYn-EU9loqPwno_PiLAP_5c_phTUuw&s=U9ikNdWnDgTcZQ-6_8SkfPfbUp4xAun9_XdlhSshM0k&e=>

I note that the actions are still work in progress – do you have an es

Re: [onap-tsc] Known vulnerability analysis of AAF

[GATHMAN, JONATHAN C]

Hey Steve,
  When are the dates for RC0,RC1 (If you have a calendar link, I don’t have 
that)?

  My current efforts are

  1.  Sonar to report AAF accurately (what is left is getting “Coverage” 
numbers… we had some improvement just this morning… nice to have headway)
  2.  Getting the AAF Beijing release working in Winriver VMs.
  3.  Getting the best Cassandra,J2EE and Mailer versions that eliminate/limit 
Security issues from dependent libraries.

  When those are working, I’ll be able to swing around and see what we can do 
on those other elements.

  Do you happen to know if anybody else uses Bouncey Castle, and if there are 
better versions out there without the security issues?  That might be a good 
approach.

  In terms of Vulnerability, Bouncey Castle is used exclusively to help 
facilitate Certificate Creation. (AAF Certman).  It is not in any of the 
Service, GUI, Locate, etc components.


--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: Stephen Terrill 
Date: Tuesday, April 3, 2018 at 9:26 AM
To: "GATHMAN, JONATHAN C" 
Cc: "onap-sec...@lists.onap.org" , onap-tsc 
, RAMPRASAD KOYA , "GANDHAM, SAI" 
, "ZWARICO, AMY" 
Subject: RE: Known vulnerability analysis of AAF

Hi Jonathan,

Thanks for the reply.  It would be good to know:

  *   Do you think that this will be done by RC0, RC1….?
  *   If it turns out you can’t replace the version, it would be good to what 
exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is not 
exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-tsc ; KOYA, 
RAMPRASAD ; GANDHAM, SAI ; ZWARICO, AMY 

Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: RAMPRASAD KOYA mailto:rk5...@att.com>>
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>, "GATHMAN, 
JONATHAN C" mailto:jg1...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>
Cc: "onap-sec...@lists.onap.org" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD mailto:rk5...@att.com>>
Cc: onap-sec...@lists.onap.org; onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress – do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Image removed by sender. 
Ericsson]
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[Image removed by sender. 
http://www.ericsson.com/current_campaign]

Re: [onap-tsc] Known vulnerability analysis of AAF

[GATHMAN, JONATHAN C]

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: RAMPRASAD KOYA 
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill , "GATHMAN, JONATHAN C" 
, "GANDHAM, SAI" 
Cc: "onap-sec...@lists.onap.org" , onap-tsc 

Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD 
Cc: onap-sec...@lists.onap.org; onap-tsc 
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress – do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Image removed by sender. 
Ericsson]
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[Image removed by sender. 
http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Known vulnerability analysis of AAF

[Kamineni, Kiran K]

I believe appc is using bouncy castle in their code.

https://git.onap.org/appc/tree/appc-adapters/appc-chef-adapter/appc-chef-adapter-bundle/src/main/java/org/onap/appc/adapter/chef/chefclient/impl/Utils.java

-- K i r a n

From: onap-tsc-boun...@lists.onap.org [mailto:onap-tsc-boun...@lists.onap.org] 
On Behalf Of Stephen Terrill
Sent: Tuesday, April 03, 2018 7:51 AM
To: GATHMAN, JONATHAN C 
Cc: onap-sec...@lists.onap.org; GANDHAM, SAI ; KOYA, RAMPRASAD 
; onap-tsc 
Subject: Re: [onap-tsc] Known vulnerability analysis of AAF

Hi Jonathan,

The RC dates are here: 
https://wiki.onap.org/display/DW/Release+Planning#ReleasePlanning-BeijingRelease

I can’t respond to the adoption of bouncy council, but I hope that others could 
kick-in?

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 4:33 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc 
mailto:onap-tsc@lists.onap.org>>; KOYA, RAMPRASAD 
mailto:rk5...@att.com>>; GANDHAM, SAI 
mailto:sg4...@att.com>>; ZWARICO, AMY 
mailto:az9...@att.com>>
Subject: Re: Known vulnerability analysis of AAF

Hey Steve,
  When are the dates for RC0,RC1 (If you have a calendar link, I don’t have 
that)?

  My current efforts are
1)  Sonar to report AAF accurately (what is left is getting “Coverage” 
numbers… we had some improvement just this morning… nice to have headway)
2)  Getting the AAF Beijing release working in Winriver VMs.
3)  Getting the best Cassandra,J2EE and Mailer versions that 
eliminate/limit Security issues from dependent libraries.

  When those are working, I’ll be able to swing around and see what we can do 
on those other elements.

  Do you happen to know if anybody else uses Bouncey Castle, and if there are 
better versions out there without the security issues?  That might be a good 
approach.

  In terms of Vulnerability, Bouncey Castle is used exclusively to help 
facilitate Certificate Creation. (AAF Certman).  It is not in any of the 
Service, GUI, Locate, etc components.


--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com<mailto:jonathan.gath...@us.att.com>

From: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Date: Tuesday, April 3, 2018 at 9:26 AM
To: "GATHMAN, JONATHAN C" mailto:jg1...@att.com>>
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>, RAMPRASAD KOYA 
mailto:rk5...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>, "ZWARICO, AMY" 
mailto:az9...@att.com>>
Subject: RE: Known vulnerability analysis of AAF

Hi Jonathan,

Thanks for the reply.  It would be good to know:
-  Do you think that this will be done by RC0, RC1….?
-  If it turns out you can’t replace the version, it would be good to 
what exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is 
not exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>; onap-tsc 
mailto:onap-tsc@lists.onap.org>>; KOYA, RAMPRASAD 
mailto:rk5...@att.com>>; GANDHAM, SAI 
mailto:sg4...@att.com>>; ZWARICO, AMY 
mailto:az9...@att.com>>
Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com<mailto:jonathan.gath...@us.att.com>

From: RAMPRASAD KOYA mailto:rk5...@att.com>>
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>, "GATHMAN, 
JONATHAN C" mailto:jg1...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>
Cc: "onap-sec...@lists.onap.org<mailto:onap-sec...@lists.onap.org>" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, A

Re: [onap-tsc] Known vulnerability analysis of AAF

[Stephen Terrill]

Hi Jonathan,

The RC dates are here: 
https://wiki.onap.org/display/DW/Release+Planning#ReleasePlanning-BeijingRelease

I can’t respond to the adoption of bouncy council, but I hope that others could 
kick-in?

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 4:33 PM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-tsc ; KOYA, 
RAMPRASAD ; GANDHAM, SAI ; ZWARICO, AMY 

Subject: Re: Known vulnerability analysis of AAF

Hey Steve,
  When are the dates for RC0,RC1 (If you have a calendar link, I don’t have 
that)?

  My current efforts are

  1.  Sonar to report AAF accurately (what is left is getting “Coverage” 
numbers… we had some improvement just this morning… nice to have headway)
  2.  Getting the AAF Beijing release working in Winriver VMs.
  3.  Getting the best Cassandra,J2EE and Mailer versions that eliminate/limit 
Security issues from dependent libraries.

  When those are working, I’ll be able to swing around and see what we can do 
on those other elements.

  Do you happen to know if anybody else uses Bouncey Castle, and if there are 
better versions out there without the security issues?  That might be a good 
approach.

  In terms of Vulnerability, Bouncey Castle is used exclusively to help 
facilitate Certificate Creation. (AAF Certman).  It is not in any of the 
Service, GUI, Locate, etc components.


--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Date: Tuesday, April 3, 2018 at 9:26 AM
To: "GATHMAN, JONATHAN C" mailto:jg1...@att.com>>
Cc: "onap-sec...@lists.onap.org" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>, RAMPRASAD KOYA 
mailto:rk5...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>, "ZWARICO, AMY" 
mailto:az9...@att.com>>
Subject: RE: Known vulnerability analysis of AAF

Hi Jonathan,

Thanks for the reply.  It would be good to know:

  *   Do you think that this will be done by RC0, RC1….?
  *   If it turns out you can’t replace the version, it would be good to what 
exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is not 
exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>
Cc: onap-sec...@lists.onap.org; onap-tsc 
mailto:onap-tsc@lists.onap.org>>; KOYA, RAMPRASAD 
mailto:rk5...@att.com>>; GANDHAM, SAI 
mailto:sg4...@att.com>>; ZWARICO, AMY 
mailto:az9...@att.com>>
Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: RAMPRASAD KOYA mailto:rk5...@att.com>>
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>, "GATHMAN, 
JONATHAN C" mailto:jg1...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>
Cc: "onap-sec...@lists.onap.org" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD mailto:rk5...@att.com>>
Cc: onap-sec...@lists.onap.org; onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress – do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Image removed by sender. 
Ericsson]

Re: [onap-tsc] Known vulnerability analysis of AAF

[Stephen Terrill]

Hi Jonathan,

Thanks for the reply.  It would be good to know:

  *   Do you think that this will be done by RC0, RC1….?
  *   If it turns out you can’t replace the version, it would be good to what 
exposure ONAP has to the vulnerability.  Sometimes it turns out ONAP is not 
exposed due to the way that ONAP uses the components.

BR,

Steve

From: GATHMAN, JONATHAN C [mailto:jg1...@att.com]
Sent: Tuesday, April 03, 2018 2:53 AM
To: Stephen Terrill 
Cc: onap-sec...@lists.onap.org; onap-tsc ; KOYA, 
RAMPRASAD ; GANDHAM, SAI ; ZWARICO, AMY 

Subject: Re: Known vulnerability analysis of AAF

Hi Steve,
  We are using “BounceyCastle” for part of the CA work.  I will have to look 
into whether I can remove easily.

  Io.netty and org.apache.httpcomponents are derived dependencies from 
Cassandra.  I’m making inquiries as to what Cassandra Versions we can use to 
get free of License issues as well as whatever flaws you have noted.

--
Jonathan Gathman
Principled-System Architect
ATO Tech Dev/SEAT/Platform Architecture and Technology Management

AT&T Services, Inc.
2349 Oaker, Arnold, MO 63010
m  314-550-3312  |  
jonathan.gath...@us.att.com

From: RAMPRASAD KOYA mailto:rk5...@att.com>>
Date: Monday, April 2, 2018 at 5:39 PM
To: Stephen Terrill 
mailto:stephen.terr...@ericsson.com>>, "GATHMAN, 
JONATHAN C" mailto:jg1...@att.com>>, "GANDHAM, SAI" 
mailto:sg4...@att.com>>
Cc: "onap-sec...@lists.onap.org" 
mailto:onap-sec...@lists.onap.org>>, onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: RE: Known vulnerability analysis of AAF

Sai, Jonathan – Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD mailto:rk5...@att.com>>
Cc: onap-sec...@lists.onap.org; onap-tsc 
mailto:onap-tsc@lists.onap.org>>
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress – do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Image removed by sender. 
Ericsson]
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[Image removed by sender. 
http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

Re: [onap-tsc] Known vulnerability analysis of AAF

[KOYA, RAMPRASAD]

Sai, Jonathan - Any thoughts on this?

From: Stephen Terrill [mailto:stephen.terr...@ericsson.com]
Sent: Monday, April 02, 2018 2:59 AM
To: KOYA, RAMPRASAD 
Cc: onap-sec...@lists.onap.org; onap-tsc 
Subject: Known vulnerability analysis of AAF

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress - do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Ericsson]
STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc

[onap-tsc] Known vulnerability analysis of AAF

[Stephen Terrill]

Hi Ram,

Thanks for the review of the known vulnerabilities for AAF: 
https://wiki.onap.org/pages/viewpage.action?pageId=28380057

I note that the actions are still work in progress - do you have an estimated 
time for the analysis.  In the analysis, it would be great if you consider 
whether the way that AAF uses the imported artefacts to be clear on whether AAF 
is exposed to the vulnerability.

Best Regards,

Steve

[Ericsson]

STEPHEN TERRILL
Technology Specialist
POA Architecture and Solutions
Business Unit Digital Services

Ericsson
Ericsson R&D Center, via de los Poblados 13
28033, Madrid, Spain
Phone +34 339 3005
Mobile +34 609 168 515
stephen.terr...@ericsson.com
www.ericsson.com


[http://www.ericsson.com/current_campaign]

Legal entity: Ericsson España S.A, compay registration number ESA288568603. 
This Communication is Confidential. We only send and receive email on the basis 
of the terms set out at 
www.ericsson.com/email_disclaimer

___
ONAP-TSC mailing list
ONAP-TSC@lists.onap.org
https://lists.onap.org/mailman/listinfo/onap-tsc