orange-cloudfoundry / cf-ops-automation-broker Goto Github PK
View Code? Open in Web Editor NEWOn demand dedicated services through COA concourse pipeline engine
On demand dedicated services through COA concourse pipeline engine
Currently, when a timeout is encountered the cloudflare broker displays a message such "failed, timeout encounted 903s, max is 900". The service instance request (create or delete) remains in the failed state, even if in some cases the provisionning proceeds and eventually successfully completes.
The current workaround is for users to request to delete the failed service instance, wait for successful completion, and create a new service instance. If delete request also fails, human support should be asked for.
Suggested improvements:
debug-mode=false
into which any failure automatically results in automatic unprovisionning (ie COAB desired state removed the TF module). When debug-mode=true
is enabled, the failed provisionning is left as-is for operators to troubleshoot and possibly repair (such as in the case of orange-cloudfoundry/cf-ops-automation#151As a service author, I need dashboard returned by nested brokers to be returned to end users. I'm ok to handle authentication for the dashboard (e.g. https url with basic auth credentials in the url) and have it shared among users.
Out of scope:
Types that extend and augment the Java Collections Framework.
Library home page: http://commons.apache.org/collections/
Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1038292
Fix Resolution: The vendor has issued a fix as part of the April 2017 Oracle Critical Patch Update.
The vendor advisory is available at:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Step up your Open Source Security Game with WhiteSource here
https://github.com/openservicebrokerapi/servicebroker/pull/642/files
use cases:
possible implementations:
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Publish Date: 2018-06-05
URL: CVE-2018-1000180
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@73780ac
Release Date: 2018-04-19
Fix Resolution: Replace or update the following file: RSAKeyPairGenerator.java
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Publish Date: 2018-06-04
URL: CVE-2016-1000343
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@50a5306#diff-5578e61500abb2b87b300d3114bdfd7d
Release Date: 2016-11-03
Fix Resolution: Replace or update the following files: KeyPairGeneratorSpi.java, DSATest.java
Step up your Open Source Security Game with WhiteSource here
We originally thought that the individual libs could be useful outside of the broker jar CF distribution. This is not the case.
As a result, we waste resources onto bintray and this complexifies/slows down the build process, in particular when releasing new versions and failing the build in the middle where we have to manually clean up artefacts published to bintray to retry build.
As reported into https://github.com/orange-cloudfoundry/paas-templates/issues/201 , our state object is currently suboptimal, in that it serializes the full catalog associated, including catalog image, whereas a planId is sufficient.
We need to optimize JSON serialization of CreateServiceInstanceRequest to reduce state param in get_last_operation url, and maintain the transient annotations specified in the POJO in the Jackson dialect, to the GSON library (we used to workaround incompat in DTO).
https://github.com/orange-cloudfoundry/cf-ops-automation-broker/blob/779e11ac6cd33cff4e66b31483f8562739c9502b/cf-ops-automation-broker-core/src/main/java/com/orange/oss/cloudfoundry/broker/opsautomation/ondemandbroker/pipeline/PipelineOperationStateGsonAdapter.java#L28-L44
https://github.com/orange-cloudfoundry/cf-ops-automation-broker/blob/779e11ac6cd33cff4e66b31483f8562739c9502b/cf-ops-automation-broker-core/src/main/java/com/orange/oss/cloudfoundry/broker/opsautomation/ondemandbroker/pipeline/BoshProcessor.java#L56-L60
Depends on #39
Workaround is to allow tomcat to accept larger http request, by setting the property server.max-http-header-size: 65536, see related maxHttpHeaderSize in tomcat http config
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Publish Date: 2018-06-04
URL: CVE-2016-1000346
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
Library home page: http://commons.apache.org/collections/
Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6420
Release Date: 2019-04-08
Fix Resolution: 3.2.2,4.1
Step up your Open Source Security Game with WhiteSource here
To reduce prerequisites on COAB instanciation, a docker image packaging of the COAB broker would be usefull
see : https://spring.io/blog/2018/11/08/spring-boot-in-a-container
Newcomer users sometimes get confused with the Cloudflare route without associated hostname.
We need to add the route binding command (which omits the hostname) into the service catalog detailed description
As a coab code maintainer, in order to detect potentially vulnerable coding practices, I would like static code analysis to include security patterns such as find-sec-bugs
http://find-sec-bugs.github.io/bugs.htm
find-sec-bugs is available as a spotbug plugin (findbugs sucessor) and invokable from maven
https://spotbugs.readthedocs.io/en/latest/maven.html
find-sec-bugs can be tested interactively through IDEs such as intellij:
https://github.com/find-sec-bugs/find-sec-bugs/wiki/IntelliJ-Tutorial (and a comparison of intellij find bugs plugins )
See related code checks in credhub for inspiration https://www.pivotaltracker.com/n/projects/1977341/stories/161560539
COAB fails with the following message RefAlreadyExistsException: Ref develop already exists
Root cause: COAB tries to checkout the specified remote branch and create a copy. In the case of a non default branch this works file, but with the default branch, a local branch already exists.
Alternative fixes:
createBranchIfMissing
Full stack trace follows
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT 2018-07-02 10:26:54.984 WARN 8 --- [nio-8080-exec-6] c.o.o.c.b.o.o.git.GitProcessor : [paas-template.] caught org.eclipse.jgit.api.errors.RefAlreadyExistsException: Ref develop already exists
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT org.eclipse.jgit.api.errors.RefAlreadyExistsException: Ref develop already exists
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.23.jar!/:8.5.23]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:677) [tomcat-embed-core-8.5.23.jar!/:8.5.23]
from
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at org.eclipse.jgit.api.CreateBranchCommand.call(CreateBranchCommand.java:133) ~[org.eclipse.jgit-4.9.0.201710071750-r.jar!/:4.9.0.201710071750-r]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at org.eclipse.jgit.api.CheckoutCommand.call(CheckoutCommand.java:228) ~[org.eclipse.jgit-4.9.0.201710071750-r.jar!/:4.9.0.201710071750-r]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.git.GitProcessor.checkoutRemoteBranchIfNeeded(GitProcessor.java:271) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.git.GitProcessor.cloneRepo(GitProcessor.java:143) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.git.GitProcessor.preCreate(GitProcessor.java:60) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.processors.ProcessorChain.create(ProcessorChain.java:25) [cf-ops-automation-broker-framework-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at com.orange.oss.ondemandbroker.ProcessorChainServiceInstanceService.createServiceInstance(ProcessorChainServiceInstanceService.java:50) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT at org.springframework.cloud.servicebroker.controller.ServiceInstanceController.createServiceInstance(ServiceInstanceController.java:79) [spring-cloud-cloudfoundry-service-broker-1.0.2.RELEASE.jar!/:na]
As observed during #38, it was observed that concurrent coab service instance creation fails due to underlying gitlab timeouts during push, leading to an error condition due to config/template repos being inconsistent (see related orange-cloudfoundry/cf-ops-automation#201)
We need to add configurable retries to reduce probability of such error condition
Currently the terraform broker only support service instances which result into a Cf domain and route to be created. The mapping of the route to the application needs to be performed by the application team. This creates the following problems:
Suggested fix:
Hibernate's Bean Validation (JSR-303) reference implementation.
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/hibernate/hibernate-validator/5.1.0.Final/hibernate-validator-5.1.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.
Publish Date: 2014-09-30
URL: CVE-2014-3558
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3558
Release Date: 2014-09-30
Fix Resolution: 4.2.1,4.3.2,5.1.2
Step up your Open Source Security Game with WhiteSource here
COA performs soft deletes of deployments, and an explicit approval through execution of the approve-and-delete-disabled-deployments
job is necessary.
As a result, deleted service instances don't automatically result in their associated bosh deployments to be deleted.
Current workaround: a crontab on a machine which triggers the approve-and-delete-disabled-deployments
job periodically, deleting all deployments regularly. E.g. this is currently scheduled on template authors desktop machines.
A concourse pipeline enables operators (or template authors) which periodically (say 2 open bunisess days) triggers approve-and-delete-disabled-deployments
job
Relates to orange-cloudfoundry/cf-ops-automation#66
As a service author, in order to prompt users with generated forms, I need to be able to configure non trivial json schema in coab catalog.
This is currently broken dependent on spring-cloud/spring-cloud-open-service-broker#161
Builds upon #29
As a service author, I need dashboard returned by nested brokers to be returned to end users.
I would like COAB to ensure that authN and authZ gets enforced, leveraging https://docs.cloudfoundry.org/services/dashboard-sso.html and service instance CC API permission, and leveraging the X-Api-Info-Location header to identify UAA location (while remaining compatible with #158) :
X-Api-Info-Location header containing the /v2/info url for that instance. The /v2/info endpoint will return further information, including the location of that Cloud Foundry instance’s UAA.
The nested broker would not add any additional authN and authZ, beyond only accepting traffic from the COAB service broker with alternative mechanisms such as:
Design:
X-Api-Info-Location
header gets saved into coab-vars.yml
at service instance creation./dashboard/guid
/dashboard/guid
endpoint redirects to the UAA endpoint provided in the associated coab-vars.yml into the X-Api-Info-Location
entryX-Api-Info-Location
entry, to invoke the /v2/service_instances/:guid/permissions endpointCOAB relies on COA (concourse, bosh, prometheus, shield...) manage on-demand deployments.
As the number of on-demand deployments scale, there are associated risks that need to be addressed:
Suggested risk assessment plan: perform load tests with a new dedicated "no-op" bosh-based service that contains an minimal bosh deployment (ideally no vm deployed)
Possible risk mitigation plan:
resource versions
of a given space (being the service type: cassandra, mongodb, mysql) ?As an inspiration/benchmark, the pivotal on-demand-broker test plan and results with 500 dedicated instances is documented at https://docs.pivotal.io/svc-sdk/odb/0-21/faq.html#odb_instance_test
We describe plan in coab-depls/cf-apps-deployments/coa-<produit>-broker/template/coa-<produit>-broker_manifest-tpl.yml
with metadata, for exemple
CATALOG_YML: |
servicebroker:
catalog:
services:
- id: cf-mysql-ondemand-service
name: cf-mysql-ondemand
description: "MariaDB databases on demand on dedicated Galera cluster "
bindable: true
plans:
- id: plan-coab-mariadb-small
name: small
description: Dedicated MariaDB Galera Cluster 2GB data storage with 4GB RAM/1CPU
free: false
metadata:
bullets:
- 2GB storage
- 50 concurrent connections
costs:
- amount:
eur: 48.0
unit: Monthly
displayName: Small Data 2GB - 4GB RAM/1CPU
We need to send this metadata to cf marketplace.
List of fields : https://github.com/openservicebrokerapi/servicebroker/blob/master/profile.md#plan-metadata-fields
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/proper/commons-codec/
Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-07
URL: WS-2009-0001
Step up your Open Source Security Game with WhiteSource here
As a service operator,
As a service operator,
As a service user,
Service authors that have built services using the On-Demand Broker want to allow Service Instances to be upgraded individually after a new version of their Service Broker has been deployed.
Now cf services will inform users that an upgrade is available; running cf service provides additional details. To upgrade a service instance, run cf update-service --upgrade. This flag is in experimental stage and may change without notice.
As a service user, I need to be able to update plans and params provisionned in an provisionning request (see #29)
As a service author, in order to handle user update param request, I may need be notified that an update was requested (in order to handle differently an update from an initial provisionning).
As a service author, I may need to have be given previous plan, params, and potentially context (such as service instance name) in order to trigger focussed update on the underlying database upon detecting changes
Example of coab-vars.yml enriched with previous_values
---
epoq:<epoq>.<timestamp> #epoq
deployment_name: "c_aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
instance_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
service_id: "service_definition_id"
plan_id: "plan_guid" # updated value
context:
platform: "cloudfoundry"
user_guid: "user_guid1"
space_guid: "space_guid1"
organization_guid: "org_guid1"
name: "updated service instance name"
parameters:
cacheRatio: 0.9 # updated value
cacheSizeMb: 20 # updated value
slowQuery: true # updated value
previous_values:
plan_id: "previous_plan_guid"
As a service author, I need to provide services without going through the burden of developping a service broker to generate service-specific credentials, instead I design my bosh release to support seeding some values (typically users and associated permissions), e.g. by scripting some usual CLIs.
Given a service author does not configure a nested broker endpoint in COAB configuration, then COAB provides a desired bindings hash to the bosh deployment in a bosh variable. Following the bosh deployment, the resulting binding credentials get returned (as string litterals or credhub references) in the manifest.yml in the global properties section.
For each service binding, COAB add a Coab-binding-<guid>-vars.yml file paas-templates repo in the service instance directory, whose content mimics the binding endpoint payload
---
bindings:
- <binding-guid>:
epoq:<epoq>.<timestamp> #epoq
context:
platform: "cloudfoundry"
user_guid: "user_guid1"
space_guid: "space_guid1"
organization_guid: "org_guid1"
parameters:
userPermissions: read
# previous_values: # add this once osb supports binding updates
Broker authors provide the following operator template with a well known name Foreach-bindings-operators.yml
which manipulates the deployment manifest file, e.g.
---
# TODO: provide a realistic example of the Foreach-bindings-operators.yml
COAB expands a copy of this file for each service binding, the content of the template gets interpolated with "{0}" being replaced by a service binding Id.
Binding responses gets recorded in the resulting manifest as coab.bindings.binding-guid and may contain literals and
credhub refs. When absent a credhub ref is returned to the binding path defined by convention
---
# TODO: provide a realistic example of the resulting manifest.yml properties, with the credentials to return in their different format
This credhub ref may contain the whole credentials response.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Publish Date: 2018-06-04
URL: CVE-2016-1000345
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with WhiteSource here
As to avoid repetitive git clones on each OSB interaction.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-04
URL: CVE-2016-1000342
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
Library home page: http://commons.apache.org/collections/
Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501
Release Date: 2017-12-31
Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-01
URL: CVE-2016-1000338
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@b0c3ce9#diff-3679f5a9d2b939d0d3ee1601a7774fb0
Release Date: 2016-10-14
Fix Resolution: Replace or update the following files: DSASigner.java, DSATest.java
Step up your Open Source Security Game with WhiteSource here
As a service author, I need COAB to force a COA build of the service instance deployment for every service instance update, in order to provide ways for a service instance to get updates I make to service models.
This is a workaround for orange-cloudfoundry/cf-ops-automation#144
last-update-date.txt
) with the intent of forcing the detection of input changes on the paas-template-<service-instance_id>
resource, which in turn pick up the changes made to the symlinked deployment model, and will update the service instance with them. This file has no other impacts than triggering the new build (i.e. it is ignored by the tasks of the deploy
concourse job )Service operators that wish to upgrade all service instances would have to loop other all service instances using the CF CLI/API or perform the same git commit on paas-templates (e.g. a git rebase of the service-instances branch against the paas-template current version commit id)
COAB should be able to fetch the nested broker password from credhub.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000352
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with WhiteSource here
As a service template author, I will follow the conventions expected by COA (https://github.com/orange-cloudfoundry/cf-ops-automation#ops-files).
COA Broker must be fully compliant with these conventions :
Bosh deployment resources template format
Bosh cli v2 specific features support (vars-files and ops-files)
Improve embeded file management (deployment-dependencies)
Iaas specifics support
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
Publish Date: 2018-06-04
URL: CVE-2016-1000339
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with WhiteSource here
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: http://code.google.com/p/guava-libraries/guava
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-terraform-broker/pom.xml
Path to vulnerable library: /root/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
Library home page: http://commons.apache.org/collections/
Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: Apache Synapse - 3.0.1;Apache Commons Collections - 3.2.2
Step up your Open Source Security Game with WhiteSource here
As a service author, in order to support different service plans, and different arbitrary params, I need to conditionally include some bosh operators depending on OSB input data received during service provisionning or unprovisionning
Proposal:
Given a user input provided by coab as coab-vars.yml
in #29
---
deployment_name: "c_aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
instance_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
service_id: "service_definition_id"
plan_id: "smallguid123455"
context:
platform: "cloudfoundry"
user_guid: "user_guid1"
space_guid: "space_guid1"
organization_guid: "org_guid1"
parameters:
cacheRatio: 0.8642
cacheSizeMb: 10
slowQuery: false
roadmin: true
previous_values:
plan_id: "previous_plan_guid"
and a service model with files ending with a suffix matching the -when-<property-path>-equals-<property-value>
where
<property-path>
designates the path to a key within the coab-vars.yml
structure. Supported path include toplevel properties such as plan_id
, or parameters top level keys such as parameters.roadmin
<property-value>
represents a value to match as string case insensitive litteral such as true
or 0.8642
$ tree coab-depls/cloudfoundry-mysql/
coab-depls/cloudfoundry-mysql/
|-- deployment-dependencies.yml
`-- template
|-- 03-add-roadmin-operators.yml-when-parameters.roadmin-equals-true -> ./cf-mysql-deployment/operations/add-roadmin.yml
|-- 07-service-plan-small-operators.yml-when-planid-equals-smallguid123455 -> ./cf-mysql-deployment/operations/add-read-write-admin.yml
|-- 08-kubernetes-binding-format-operators.yml-when-context.platform-equals-kubernetes
|-- 08-cloudfoundry-binding-format-operators.yml-when-context.platform-equals-cloudfoundry
|-- 10-enable-syslog-operators.yml -> ./cf-mysql-deployment/operations/enable-syslog.yml
|-- cloudfoundry-mysql-vars-tpl.yml
`-- 99-cloudfoundry-mysql.yml -> ./cf-mysql-deployment/cf-mysql-deployment.yml
then coab would generate conditionnally include the operators files depending on their matching of coab-vars.yml
(while preserving systematic inclusion of other operators), resulting in the following coab bosh template directory
$ tree coab-depls/c_1c7d3610-6223-4d45-bc76-f027457a1253
c_1c7d3610-6223-4d45-bc76-f027457a1253/
|-- deployment-dependencies.yml
`-- template
|-- 03-add-roadmin-operators.yml-> ../../cloudfoundry-mysql/template/03-add-roadmin-operators.yml-when-parameters.roadmin-equals-true
|-- 07-service-plan-small-operators.yml -> ../../cloudfoundry-mysql/template/07-service-plan-small-operators.yml-when-planid-equals-smallguid123455
|-- 08-cloudfoundry-binding-format-operators.yml -> ../../cloudfoundry-mysql/template/08-cloudfoundry-binding-format-operators.yml-when-context.platform-equals-cloudfoundry
|-- 10-enable-syslog-operators.yml -> ./cf-mysql-deployment/operations/enable-syslog.yml -> ../../cloudfoundry-mysql/template/10-enable-syslog-operators.yml
|-- cloudfoundry-mysql-vars-tpl.yml -> ../../cloudfoundry-mysql/template/cloudfoundry-mysql-vars-tpl.yml
`-- 99-cloudfoundry-mysql.yml -> ../../cloudfoundry-mysql/template/99-cloudfoundry-mysql.yml
In order to avoid the feature being used to bypass security, the following restrictions are imposed
<property-path>
only supports basic path designation<property-value>
only supports exact string case insensitive matches.In the future, we might consider additional matcher syntaxes such as -when<property-path>-isdefined
(e.g. -when-previous_values.plan_id-isdefined
to conditionally include operator only during service plan update)
As a service author, in order to support arbitrary params in my service, I need to receive content of arbitrary params in a format by bosh deployment can leverage.
Proposed solution: the coab-vars.yml
file contains the open service broker api standardized input for both service provisionning and update.
---
deployment_name: "c_aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
instance_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
service_id: "service_definition_id"
plan_id: "plan_guid"
context:
platform: "cloudfoundry"
user_guid: "user_guid1"
space_guid: "space_guid1"
organization_guid: "org_guid1"
parameters:
cacheRatio: 0.8642
cacheSizeMb: 10
slowQuery: false
previous_values:
plan_id: "previous_plan_guid"
Service authors can test in their models various content of the coab-vars.yml which will be safely ignored by COAB
To maintain security, Input validation is applied on the name and value of arbitrary params to prevent various injections (such as reading from credhub, spruce, file system injection, yml loading or reference expansions), and only alphabetical characters, numbers are supported
Out of scope: implement the GET endpoints.
https://whitesource.atlassian.net/wiki/spaces/WD/pages/176717962/CircleCI+Integration
We need to upgrade to spring-cloud-open-service-broker on which we are late, as well as springboot 2.0
Benefits:
support for OSB specs 2.13 and soon 2.14 (async bindings spring-cloud/spring-cloud-open-service-broker#66)
security fixes in springboot and its dependency tree
bump to Spring Boot 2.x
bump to spring-cloud-open-service-broker 2.0
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000344
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Publish Date: 2018-06-04
URL: CVE-2016-1000340
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@7906420#diff-e5934feac8203ca0104ab291a3560a31
Release Date: 2016-11-29
Fix Resolution: Replace or update the following files: Nat160.java, Nat256.java, Nat192.java, SecP256R1FieldTest.java, Nat128.java, Nat224.java, SecP384R1FieldTest.java
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml
Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar
Dependency Hierarchy:
Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Publish Date: 2018-07-09
URL: CVE-2018-1000613
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000613
Release Date: 2018-07-09
Fix Resolution: 1.60
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.