From: Dan Timoney Date: Wed, 23 Oct 2019 22:25:04 +0000 (+0000) Subject: Merge "Improve security release notes for El Alto" X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=2b1b8b28022a6ff53842c8ca513c5922f0c958a0;hp=-c;p=sdnc%2Foam.git Merge "Improve security release notes for El Alto" --- 2b1b8b28022a6ff53842c8ca513c5922f0c958a0 diff --combined docs/release-notes.rst index 9bfac300,9e8f1017..7aae5be0 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@@ -3,9 -3,9 +3,9 @@@ Release Notes ============= -Version 1.7.3 +Version 1.7.4 ------------- -:Release Date: 2019-09-30 +:Release Date: 2019-10-24 El Alto release @@@ -21,15 -21,15 +21,15 @@@ The following table lists the SDNC dock +--------------------------------+---------------------------------------------+-----------+ | onap/service-decomposition | POMBA : service decomposition microservice | 1.7.3 | +--------------------------------+---------------------------------------------+-----------+ -| onap/sdnc-ansible-server-image | Ansible server | 1.7.3 | +| onap/sdnc-ansible-server-image | Ansible server | 1.7.4 | +--------------------------------+---------------------------------------------+-----------+ -| onap/sdnc-aaf-image | SDNC controller image, with AAF integration | 1.7.3 | +| onap/sdnc-aaf-image | SDNC controller image, with AAF integration | 1.7.4 | +--------------------------------+---------------------------------------------+-----------+ -| onap/sdnc-image | SDNC controller image, standalone (no AAF) | 1.7.3 | +| onap/sdnc-image | SDNC controller image, standalone (no AAF) | 1.7.4 | +--------------------------------+---------------------------------------------+-----------+ -| onap/sdnc-ueb-listener-image | SDC listener | 1.7.3 | +| onap/sdnc-ueb-listener-image | SDC listener | 1.7.4 | +--------------------------------+---------------------------------------------+-----------+ -| onap/sdcn-dmaap-listener-image | DMAAP listener | 1.7.3 | +| onap/sdcn-dmaap-listener-image | DMAAP listener | 1.7.4 | +--------------------------------+---------------------------------------------+-----------+ @@@ -61,49 -61,41 +61,61 @@@ The full list of bug fixes in the SDNC **Known Issues** The full list of known issues in SDNC may be found in the ONAP Jira at +One specific issue of concern is the following + ++------------+---------------------------------------------------------------------------------+ +| Jira # | Abstract | ++============+=================================================================================+ +| [SDNC-949] | GR-API Macro Orchestration fails while waiting on vnf-topology-operation status | ++------------+---------------------------------------------------------------------------------+ + +This issue is fixed in Gerrit, but not in the released 1.7.4 version of the SDNC docker container. This issue +can be manually fixed by installing the following 2 directed graphs via directed graph builder: + +- `GENERIC-RESOURCE-API_vf-module-topology-operation.json +`_ +- `GENERIC-RESOURCE-API_vnf-topology-operation.json +`_ + + + One item of note is that the SDNC admin portal was determined to have a number of security vulnerabilities, under Known Security Issues. As a temporary remediation, the admin portal was disabled in Dublin. These issues have been resolved in El Alto. + + **Security Notes** *Fixed Security Issues* - CVE-2019-12132 `OJSI-41 `_ SDNC service allows for arbitrary code execution in sla/dgUpload form + Fixed temporarily by disabling admportal. - CVE-2019-12123 `OJSI-42 `_ SDNC service allows for arbitrary code execution in sla/printAsXml form + Fixed temporarily by disabling admportal. - CVE-2019-12113 `OJSI-43 `_ SDNC service allows for arbitrary code execution in sla/printAsGv form + Fixed by removing this API endpoint. - `OJSI-91 `_ SDNC exposes unprotected API for user creation + Fixed temporarily by disabling admportal. - `OJSI-98 `_ In default deployment SDNC (sdnc-portal) exposes HTTP port 30201 outside of cluster. + Port 30201 now uses HTTPS protocol. - CVE-2019-12112 `OJSI-199 `_ SDNC service allows for arbitrary code execution in sla/upload form + Fixed temporarily by disabling admportal. - `OJSI-34 `_ Multiple SQL Injection issues in SDNC - `OJSI-99 `_ In default deployment SDNC (sdnc) exposes HTTP port 30202 outside of cluster. + Port 30202 is no longer used. - `OJSI-100 `_ In default deployment SDNC (sdnc-dgbuilder) exposes HTTP port 30203 outside of cluster. + Port 30203 now uses HTTPS protocol. - `OJSI-179 `_ dev-sdnc-sdnc exposes JDWP on port 1830 which allows for arbitrary code execution + Ticket has been closed as no one was able to reproduce the issue. - `OJSI-183 `_ SDNC exposes ssh service on port 30208 + Port 30202 is no longer used. *Known Security Issues* - + For CVE-2019-12132, CVE-2019-12123 and CVE-2019-12112 only temporary fix has been applied. + This fix simply prevents admportal from being started and exposed. + If admportal is to be used in your deployment, please be very cautious and remember to fix those vulnerabilities on your own. *Known Vulnerabilities in Used Modules*