In order to provide users with more details of project's state in
terms of security let's divide the security release notes into three
sections:
- Fixed Security Issues
Contains a list of security fixes merged during this
release (especially those reported via OJSI tickets).
- Known Security Issues
Contains a list of vulnerabilities detected in project during
release which have not been fixed yet and thus should be mitigated
by the user.
- Known Vulnerabilities in Used Modules
Contains information about NexusIQ scan results
Issue-ID: SECCOM-238
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I07a057dd5bdec7a2d3ad42be854faa9c8abd38e0
+*Fixed Security Issues*
+
NBI has been improved to reduce signs of vulnerabilities,
especially by migrating from Springboot 1.x to Springboot 2 and using ONAP Parent pom.xml
NBI has been improved to reduce signs of vulnerabilities,
especially by migrating from Springboot 1.x to Springboot 2 and using ONAP Parent pom.xml
-Warning: NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API.
-TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto.
+*Known Security Issues*
+
+- `OJSI-136 <https://jira.onap.org/browse/OJSI-136>`_ - In default deployment EXTAPI (nbi) exposes HTTP port 30274 outside of cluster.
+ NBI exposes non TLS API endpoint on port 30274, meaning full plain text exchange with NBI API.
+ TLS configuration, with ONAP Root CA signed certificate will be proposed in El Alto.
+
+ As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https.
+ Presuming you have a valid JKS keystore, with private key and a signed certificate:
-As a workaround it is quite easy to add HTTPS support to NBI by configuring SSL and activating strict https.
-Presuming you have a valid JKS keystore, with private key and a signed certificate:
+ src/main/resources/application.properties
- src/main/resources/application.properties
+ # tls/ssl
+ server.ssl.key-store-type=JKS
+ server.ssl.key-store=classpath:certificate/yourkeystore.jks
+ server.ssl.key-store-password=password
+ server.ssl.key-alias=youralias
- # tls/ssl
- server.ssl.key-store-type=JKS
- server.ssl.key-store=classpath:certificate/yourkeystore.jks
- server.ssl.key-store-password=password
- server.ssl.key-alias=youralias
+ # disable http and activate https
+ security.require-ssl=true
- # disable http and activate https
- security.require-ssl=true
+*Known Vulnerabilities in Used Modules*
- `Dublin Vulnerability Report <https://wiki.onap.org/pages/viewpage.action?pageId=51282484>`_
- `Dublin Vulnerability Report <https://wiki.onap.org/pages/viewpage.action?pageId=51282484>`_