orange-cloudfoundry / cf-ops-automation-broker Goto Github PK

View Code? Open in Web Editor NEW

4.0 6.0 0.0 5.77 MB

On demand dedicated services through COA concourse pipeline engine

Shell 1.36% Java 98.61% Dockerfile 0.03%

bosh concourse osbapi cloudfoundry service-broker

cf-ops-automation-broker's People

Contributors

Stargazers

Watchers

cf-ops-automation-broker's Issues

Improve terraform cloudflare broker UX in face of timeout

Currently, when a timeout is encountered the cloudflare broker displays a message such "failed, timeout encounted 903s, max is 900". The service instance request (create or delete) remains in the failed state, even if in some cases the provisionning proceeds and eventually successfully completes.

The current workaround is for users to request to delete the failed service instance, wait for successful completion, and create a new service instance. If delete request also fails, human support should be asked for.

Suggested improvements:

The returned message should hint users about this potential workaround
COAB could support a debug-mode=false into which any failure automatically results in automatic unprovisionning (ie COAB desired state removed the TF module). When debug-mode=true is enabled, the failed provisionning is left as-is for operators to troubleshoot and possibly repair (such as in the case of orange-cloudfoundry/cf-ops-automation#151

Dashboard step1: pass thru support (without CF sso support)

As a service author, I need dashboard returned by nested brokers to be returned to end users. I'm ok to handle authentication for the dashboard (e.g. https url with basic auth credentials in the url) and have it shared among users.

Out of scope:

nested brokers to leverage CF sso feature https://docs.cloudfoundry.org/services/dashboard-sso.html

CVE-2015-4852 (High) detected in commons-collections-3.2.1.jar

CVE-2015-4852 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

spring-cloud-cloudfoundry-service-broker-1.0.2.RELEASE.jar (Root Library)
- commons-beanutils-1.9.2.jar
  - ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Publish Date: 2015-11-18

URL: CVE-2015-4852

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1038292

Fix Resolution: The vendor has issued a fix as part of the April 2017 Oracle Critical Patch Update.

The vendor advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Step up your Open Source Security Game with WhiteSource here

Support OSB maintenance-info to reject platform with stale cached catalog

https://github.com/openservicebrokerapi/servicebroker/pull/642/files

use cases:

detect when a platform has not refreshed its catalog (e.g. pricing), by rejecting provision and update requesting old version.

possible implementations:

leverage SCOSB in catalog implemented 3.10.RC1 in spring-cloud/spring-cloud-open-service-broker#233 (see spring-cloud/spring-cloud-open-service-broker@42e1d02)) and spring-cloud/spring-cloud-open-service-broker#265
coab to leave it up to service authors to fill in the maintenance-info in their CATALOG_YML env var, and when they want to bump published versions
coab can provide an opt-in default so that version-info defaults to catalog hash when unspecified.

CVE-2018-1000180 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2018-1000180 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@73780ac

Release Date: 2018-04-19

Fix Resolution: Replace or update the following file: RSAKeyPairGenerator.java

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000343 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000343 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

Publish Date: 2018-06-04

URL: CVE-2016-1000343

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@50a5306#diff-5578e61500abb2b87b300d3114bdfd7d

Release Date: 2016-11-03

Fix Resolution: Replace or update the following files: KeyPairGeneratorSpi.java, DSATest.java

Step up your Open Source Security Game with WhiteSource here

Stop publishing jars to bintray

We originally thought that the individual libs could be useful outside of the broker jar CF distribution. This is not the case.

As a result, we waste resources onto bintray and this complexifies/slows down the build process, in particular when releasing new versions and failing the build in the middle where we have to manually clean up artefacts published to bintray to retry build.

Optimize size of state object returned to OSB API

As reported into https://github.com/orange-cloudfoundry/paas-templates/issues/201 , our state object is currently suboptimal, in that it serializes the full catalog associated, including catalog image, whereas a planId is sufficient.

We need to optimize JSON serialization of CreateServiceInstanceRequest to reduce state param in get_last_operation url, and maintain the transient annotations specified in the POJO in the Jackson dialect, to the GSON library (we used to workaround incompat in DTO).
https://github.com/orange-cloudfoundry/cf-ops-automation-broker/blob/779e11ac6cd33cff4e66b31483f8562739c9502b/cf-ops-automation-broker-core/src/main/java/com/orange/oss/cloudfoundry/broker/opsautomation/ondemandbroker/pipeline/PipelineOperationStateGsonAdapter.java#L28-L44
https://github.com/orange-cloudfoundry/cf-ops-automation-broker/blob/779e11ac6cd33cff4e66b31483f8562739c9502b/cf-ops-automation-broker-core/src/main/java/com/orange/oss/cloudfoundry/broker/opsautomation/ondemandbroker/pipeline/BoshProcessor.java#L56-L60

Depends on #39

Workaround is to allow tomcat to accept larger http request, by setting the property server.max-http-header-size: 65536, see related maxHttpHeaderSize in tomcat http config

CVE-2016-1000346 (Low) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000346 - Low Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

Publish Date: 2018-06-04

URL: CVE-2016-1000346

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

CVE-2015-6420 (High) detected in commons-collections-3.2.1.jar

CVE-2015-6420 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

spring-cloud-cloudfoundry-service-broker-1.0.2.RELEASE.jar (Root Library)
- commons-beanutils-1.9.2.jar
  - ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2015-12-15

URL: CVE-2015-6420

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6420

Release Date: 2019-04-08

Fix Resolution: 3.2.2,4.1

Step up your Open Source Security Game with WhiteSource here

Package COAB broker as a docker container

To reduce prerequisites on COAB instanciation, a docker image packaging of the COAB broker would be usefull
see : https://spring.io/blog/2018/11/08/spring-boot-in-a-container

Improve terraform cloudflare service catalog with route binding command

Newcomer users sometimes get confused with the Cloudflare route without associated hostname.

We need to add the route binding command (which omits the hostname) into the service catalog detailed description

Set up security static code analysis

As a coab code maintainer, in order to detect potentially vulnerable coding practices, I would like static code analysis to include security patterns such as find-sec-bugs

http://find-sec-bugs.github.io/bugs.htm

find-sec-bugs is available as a spotbug plugin (findbugs sucessor) and invokable from maven
https://spotbugs.readthedocs.io/en/latest/maven.html

find-sec-bugs can be tested interactively through IDEs such as intellij:
https://github.com/find-sec-bugs/find-sec-bugs/wiki/IntelliJ-Tutorial (and a comparison of intellij find bugs plugins )

See related code checks in credhub for inspiration https://www.pivotaltracker.com/n/projects/1977341/stories/161560539

Can't use paas-template git default branch for service-instances-branch

COAB fails with the following message RefAlreadyExistsException: Ref develop already exists

Root cause: COAB tries to checkout the specified remote branch and create a copy. In the case of a non default branch this works file, but with the default branch, a local branch already exists.

Alternative fixes:

only checkout the branch when needing to create the missing branch specified in createBranchIfMissing
check presence of local branch before trying to create it
- reproduce in a test.
  - indeed create a new develop branch ans set is as default branch
    - directly access underlying git repo to set up default branch
    - modify the develop branch after the fact
  - just use the existing default master branch

Full stack trace follows

   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT 2018-07-02 10:26:54.984  WARN 8 --- [nio-8080-exec-6] c.o.o.c.b.o.o.git.GitProcessor           : [paas-template.] caught org.eclipse.jgit.api.errors.RefAlreadyExistsException: Ref develop already exists
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT org.eclipse.jgit.api.errors.RefAlreadyExistsException: Ref develop already exists
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.23.jar!/:8.5.23]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:677) [tomcat-embed-core-8.5.23.jar!/:8.5.23]

from

  2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at org.eclipse.jgit.api.CreateBranchCommand.call(CreateBranchCommand.java:133) ~[org.eclipse.jgit-4.9.0.201710071750-r.jar!/:4.9.0.201710071750-r]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at org.eclipse.jgit.api.CheckoutCommand.call(CheckoutCommand.java:228) ~[org.eclipse.jgit-4.9.0.201710071750-r.jar!/:4.9.0.201710071750-r]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.git.GitProcessor.checkoutRemoteBranchIfNeeded(GitProcessor.java:271) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.git.GitProcessor.cloneRepo(GitProcessor.java:143) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.git.GitProcessor.preCreate(GitProcessor.java:60) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at com.orange.oss.cloudfoundry.broker.opsautomation.ondemandbroker.processors.ProcessorChain.create(ProcessorChain.java:25) [cf-ops-automation-broker-framework-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at com.orange.oss.ondemandbroker.ProcessorChainServiceInstanceService.createServiceInstance(ProcessorChainServiceInstanceService.java:50) [cf-ops-automation-broker-core-0.27.0-SNAPSHOT.jar!/:0.27.0-SNAPSHOT]
   2018-07-02T12:26:54.98+0200 [APP/PROC/WEB/0] OUT     at org.springframework.cloud.servicebroker.controller.ServiceInstanceController.createServiceInstance(ServiceInstanceController.java:79) [spring-cloud-cloudfoundry-service-broker-1.0.2.RELEASE.jar!/:na]

Add retries when git push fails

As observed during #38, it was observed that concurrent coab service instance creation fails due to underlying gitlab timeouts during push, leading to an error condition due to config/template repos being inconsistent (see related orange-cloudfoundry/cf-ops-automation#201)

We need to add configurable retries to reduce probability of such error condition

service binding support in cloudflare terraform broker

Currently the terraform broker only support service instances which result into a Cf domain and route to be created. The mapping of the route to the application needs to be performed by the application team. This creates the following problems:

application teams are sometimes unclear how to map the domain to their app
in case of issues with the broker (such as terraform.tfstate loss + domains/routes removal from CC), the route mapping information is lost (unless recovering if from CF logs with route deletion traces). Either app team need to manually remap the route, or service operator to recover from logs.

Suggested fix:

add ability to [un]bind the terraform service instance to an application
this would result into a terraform module to be executed
this terraform module would [un]map the created route to the bound application
- this is supported by the cloudfoundry_route.target.app ressource
- TODO: detail how to update the service instance module invocation to include the app-id into it

CVE-2014-3558 (Medium) detected in hibernate-validator-5.1.0.Final.jar

CVE-2014-3558 - Medium Severity Vulnerability

Vulnerable Library - hibernate-validator-5.1.0.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/hibernate/hibernate-validator/5.1.0.Final/hibernate-validator-5.1.0.Final.jar

Dependency Hierarchy:

spring-cloud-cloudfoundry-service-broker-1.0.2.RELEASE.jar (Root Library)
- ❌ hibernate-validator-5.1.0.Final.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.

Publish Date: 2014-09-30

URL: CVE-2014-3558

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3558

Release Date: 2014-09-30

Fix Resolution: 4.2.1,4.3.2,5.1.2

Step up your Open Source Security Game with WhiteSource here

Concourse pipeline for purging service instance soft deletes

Current situation:

COA performs soft deletes of deployments, and an explicit approval through execution of the approve-and-delete-disabled-deployments job is necessary.

As a result, deleted service instances don't automatically result in their associated bosh deployments to be deleted.

Current workaround: a crontab on a machine which triggers the approve-and-delete-disabled-deployments job periodically, deleting all deployments regularly. E.g. this is currently scheduled on template authors desktop machines.

Suggested situation

A concourse pipeline enables operators (or template authors) which periodically (say 2 open bunisess days) triggers approve-and-delete-disabled-deployments job

Relates to orange-cloudfoundry/cf-ops-automation#66

Unable to configure some Json schema for arbitrary params

As a service author, in order to prompt users with generated forms, I need to be able to configure non trivial json schema in coab catalog.

This is currently broken dependent on spring-cloud/spring-cloud-open-service-broker#161

Builds upon #29

upgrade to spring-cloud-cloudfoundry-service-broker 1.0.1.RELEASE

Dashboard step2: CF sso support

As a service author, I need dashboard returned by nested brokers to be returned to end users.

I would like COAB to ensure that authN and authZ gets enforced, leveraging https://docs.cloudfoundry.org/services/dashboard-sso.html and service instance CC API permission, and leveraging the X-Api-Info-Location header to identify UAA location (while remaining compatible with #158) :

X-Api-Info-Location header containing the /v2/info url for that instance. The /v2/info endpoint will return further information, including the location of that Cloud Foundry instance’s UAA.

The nested broker would not add any additional authN and authZ, beyond only accepting traffic from the COAB service broker with alternative mechanisms such as:

source IP address filtering (relies on #50 to have non volatile IP per broker)
basic auth

Design:

The X-Api-Info-Location header gets saved into coab-vars.yml at service instance creation.
The dashboard URL returned contains the service instance guid such as /dashboard/guid
A (dynamic?) spring oauth security configuration is performed so that the /dashboard/guid endpoint redirects to the UAA endpoint provided in the associated coab-vars.yml into the X-Api-Info-Location entry
The endpoint controller's looks up the CF API endpoint into the associated coab-vars.yml into the X-Api-Info-Location entry, to invoke the /v2/service_instances/:guid/permissions endpoint

Assess & address scalability risks

COAB relies on COA (concourse, bosh, prometheus, shield...) manage on-demand deployments.

As the number of on-demand deployments scale, there are associated risks that need to be addressed:

preserving operators user experience: keep ability for operators to manage on-demand deployments through concourse/COA UI when number of on-demand deployment grows
scaling and performance impact of concourse and COA pipelines: concourse to keep acceptable response times
- as number of COAB-generated resources resources scale
  - including history of unprovisioned services
deployment infrastructure scaling:
- bosh director
- prometheus
- credhub
- shield

Suggested risk assessment plan: perform load tests with a new dedicated "no-op" bosh-based service that contains an minimal bosh deployment (ideally no vm deployed)

Possible risk mitigation plan:

improve instrumentation of shared infrastructure
- concourse monitoring and alerting, see related https://github.com/orange-cloudfoundry/paas-templates/issues/16
- credhub/bosh-director/shield/prometheus monitoring and alerting
optimize git resources handling. https://github.com/orange-cloudfoundry/paas-templates/issues/2049
use dedicated concourse workers
use dedicated concourse instance
use more dedicated infrastructure components (credhub, shield) in addition to currently dedicated ones (bosh director, prometheus)
scale up and scale out infrastructure components (concourse, bosh director, credhub, shield)
Further optimize COA for UX with large number of deployments
- refine job groups:
  - N buckets by service types (C*, mongo, mysql): e.g. c1, c2, c3 for cassandra, ordered by time/guid
  - recent changes: only list recently updated deployments (becomes the default view)
- shard root deployments by service type for high volume services: coab-mysql, coab-mongogb
- leverage upcoming concourse model and UX improvements such as Space/Spatial Resources/Build Matrix.
  - see Space UX designer blog and sneak-peek-spatial-resources blog featuring Early build matrix hifi prototype prototyped into concourse/concourse#1707
    - resource V2 API which defines Space concept. Can on-demand services be modeled as a resource versions of a given space (being the service type: cassandra, mongodb, mysql) ?
  - feedback on concourse designers after cross checking current issues
    - max number of groups / improve layouts for large number of groups
    - jobs metadata

As an inspiration/benchmark, the pivotal on-demand-broker test plan and results with 500 dedicated instances is documented at https://docs.pivotal.io/svc-sdk/odb/0-21/faq.html#odb_instance_test

add continuous integration capabilities

Metadata Plan not returned to cf

We describe plan in coab-depls/cf-apps-deployments/coa-<produit>-broker/template/coa-<produit>-broker_manifest-tpl.yml with metadata, for exemple

CATALOG_YML: |
          servicebroker:
            catalog:
              services:
              - id: cf-mysql-ondemand-service
                name: cf-mysql-ondemand
                description: "MariaDB databases on demand on dedicated Galera cluster "
                bindable: true
                plans:
                  - id: plan-coab-mariadb-small
                    name: small
                    description: Dedicated MariaDB Galera Cluster 2GB data storage with 4GB RAM/1CPU
                    free: false
                    metadata:
                      bullets:
                      - 2GB storage
                      - 50 concurrent connections
                      costs:
                      - amount:
                          eur: 48.0
                        unit: Monthly
                      displayName: Small Data 2GB - 4GB RAM/1CPU

We need to send this metadata to cf marketplace.
List of fields : https://github.com/openservicebrokerapi/servicebroker/blob/master/profile.md#plan-metadata-fields

WS-2009-0001 (Low) detected in commons-codec-1.11.jar

WS-2009-0001 - Low Severity Vulnerability

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

org.eclipse.jgit-4.9.0.201710071750-r.jar (Root Library)
- httpclient-4.5.8.jar
  - ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

OSB service instance update support (metadata, plan, params)

Requirements

version update

As a service operator,

in order to ensure consistency among stemcell, release and bosh deployment manifest updates
I need to trigger (or control when) a refresh of service instances deployments against deployment model

As a service operator,

in order to avoid rolling out failure to all service instances upon a model update
in order to spread load when many service instances need update
I need to trigger (or control when) a refresh of service instances deployments against deployment model

As a service user,

in order to control window at which my dedicated instance will undergo a version update (e.g. for controlling performance or downtimes triggered by updates),
I need to be notified when my service requires update
And I need to be able to trigger this update using CF cli support in v6.46.0, see #55

Service authors that have built services using the On-Demand Broker want to allow Service Instances to be upgraded individually after a new version of their Service Broker has been deployed.

Now cf services will inform users that an upgrade is available; running cf service provides additional details. To upgrade a service instance, run cf update-service --upgrade. This flag is in experimental stage and may change without notice.

plan and param update

As a service user, I need to be able to update plans and params provisionned in an provisionning request (see #29)

As a service author, in order to handle user update param request, I may need be notified that an update was requested (in order to handle differently an update from an initial provisionning).

As a service author, I may need to have be given previous plan, params, and potentially context (such as service instance name) in order to trigger focussed update on the underlying database upon detecting changes

Example of coab-vars.yml enriched with previous_values

---
epoq:<epoq>.<timestamp> #epoq
deployment_name: "c_aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
instance_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
service_id: "service_definition_id"
plan_id: "plan_guid" # updated value
context:
  platform: "cloudfoundry"
  user_guid: "user_guid1"
  space_guid: "space_guid1"
  organization_guid: "org_guid1"
  name: "updated service instance name"
parameters:
  cacheRatio: 0.9 # updated value
  cacheSizeMb: 20 # updated value
  slowQuery: true # updated value
previous_values:
  plan_id: "previous_plan_guid"

Remove need for nested broker thru Bosh-generated service binding credhub credentials

As a service author, I need to provide services without going through the burden of developping a service broker to generate service-specific credentials, instead I design my bosh release to support seeding some values (typically users and associated permissions), e.g. by scripting some usual CLIs.

Given a service author does not configure a nested broker endpoint in COAB configuration, then COAB provides a desired bindings hash to the bosh deployment in a bosh variable. Following the bosh deployment, the resulting binding credentials get returned (as string litterals or credhub references) in the manifest.yml in the global properties section.

Desired binding

For each service binding, COAB add a Coab-binding-<guid>-vars.yml file paas-templates repo in the service instance directory, whose content mimics the binding endpoint payload

---
bindings:
- <binding-guid>: 
   epoq:<epoq>.<timestamp> #epoq
   context:
     platform: "cloudfoundry"
     user_guid: "user_guid1"
     space_guid: "space_guid1"
     organization_guid: "org_guid1"
   parameters:
     userPermissions: read
# previous_values: # add this once osb supports binding updates

Resulting binding credentials

Broker authors provide the following operator template with a well known name Foreach-bindings-operators.yml which manipulates the deployment manifest file, e.g.

declare new credhub user/passwords
specify properties with user/passwords (that e.g. would trigger seeding of users in a database by the bosh job).
specify binding credentials to be returned to user

---
# TODO: provide a realistic example of the Foreach-bindings-operators.yml

COAB expands a copy of this file for each service binding, the content of the template gets interpolated with "{0}" being replaced by a service binding Id.

Binding responses gets recorded in the resulting manifest as coab.bindings.binding-guid and may contain literals and
credhub refs. When absent a credhub ref is returned to the binding path defined by convention

---
# TODO: provide a realistic example of the resulting manifest.yml properties, with the credentials to return  in their different format

This credhub ref may contain the whole credentials response.

Pending design issues:

we use distinct files for each binding to avoid git conflicts during concurrent bindings, but we need an operator friendly resulting hash for operators to consume in their manifest: can we merge entries from multiple vars files into a single hash ? Prefer another data structure ?

CVE-2016-1000345 (Medium) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000345 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

Publish Date: 2018-06-04

URL: CVE-2016-1000345

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

Set up git clone caches

As to avoid repetitive git clones on each OSB interaction.

CVE-2016-1000341 (Medium) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000341 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Publish Date: 2018-06-04

URL: CVE-2016-1000341

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000342 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000342 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-04

URL: CVE-2016-1000342

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

Create, Delete, Bind and Unbind Service Instance implementation

CVE-2015-7501 (High) detected in commons-collections-3.2.1.jar

CVE-2015-7501 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

spring-cloud-cloudfoundry-service-broker-1.0.2.RELEASE.jar (Root Library)
- commons-beanutils-1.9.2.jar
  - ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2017-11-09

URL: CVE-2015-7501

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501

Release Date: 2017-12-31

Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater

Step up your Open Source Security Game with WhiteSource here

Improve CI release managment

configure maven release: https://circleci.com/docs/1.0/perform-maven-release/
- create a circle.yml at root https://github.com/computology/circleci-maven-project/blob/master/circle.yml
- Q: do we need to keep .circleci/config.yml ? https://circleci.com/docs/2.0/configuration-reference/
  - https://circleci.com/docs/2.0/language-java/ instructs a .circleci/config.yml
upload artifact to circleci
configure upload to github of springboot application jars: https://jedkirby.com/blog/github-releases-with-circleci
handle merging from develop to master

CVE-2016-1000338 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000338 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-01

URL: CVE-2016-1000338

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@b0c3ce9#diff-3679f5a9d2b939d0d3ee1601a7774fb0

Release Date: 2016-10-14

Fix Resolution: Replace or update the following files: DSASigner.java, DSATest.java

Step up your Open Source Security Game with WhiteSource here

Force trigger COA build (template-refresh) on user-triggered service instance no-op update

As a service author, I need COAB to force a COA build of the service instance deployment for every service instance update, in order to provide ways for a service instance to get updates I make to service models.

This is a workaround for orange-cloudfoundry/cf-ops-automation#144

When: any service instance update is requested
Then: COAB commits into paas-template a marker file (e.g. last-update-date.txt) with the intent of forcing the detection of input changes on the paas-template-<service-instance_id> resource, which in turn pick up the changes made to the symlinked deployment model, and will update the service instance with them. This file has no other impacts than triggering the new build (i.e. it is ignored by the tasks of the deploy concourse job )

Service operators that wish to upgrade all service instances would have to loop other all service instances using the CF CLI/API or perform the same git commit on paas-templates (e.g. a git rebase of the service-instances branch against the paas-template current version commit id)

Credhub support: fetch nested broker passwords from credhub

COAB should be able to fetch the nested broker password from credhub.

CVE-2016-1000352 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000352 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Publish Date: 2018-06-04

URL: CVE-2016-1000352

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

Full COA conventions support

As a service template author, I will follow the conventions expected by COA (https://github.com/orange-cloudfoundry/cf-ops-automation#ops-files).

COA Broker must be fully compliant with these conventions :

Bosh deployment resources template format
Bosh cli v2 specific features support (vars-files and ops-files)
Improve embeded file management (deployment-dependencies)
Iaas specifics support

CVE-2016-1000339 (Medium) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000339 - Medium Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.

Publish Date: 2018-06-04

URL: CVE-2016-1000339

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

CVE-2018-10237 (Medium) detected in guava-18.0.jar

CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-18.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

Library home page: http://code.google.com/p/guava-libraries/guava

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-terraform-broker/pom.xml

Path to vulnerable library: /root/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-netflix-archaius-1.4.3.RELEASE.jar
  - ❌ guava-18.0.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2017-15708 (High) detected in commons-collections-3.2.1.jar

CVE-2017-15708 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /cf-ops-automation-broker/spring-boot-starter-servicebroker-catalog/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

spring-cloud-cloudfoundry-service-broker-1.0.2.RELEASE.jar (Root Library)
- commons-beanutils-1.9.2.jar
  - ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Publish Date: 2017-12-11

URL: CVE-2017-15708

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708

Release Date: 2017-12-11

Fix Resolution: Apache Synapse - 3.0.1;Apache Commons Collections - 3.2.2

Step up your Open Source Security Game with WhiteSource here

Conditional operators inclusion support

As a service author, in order to support different service plans, and different arbitrary params, I need to conditionally include some bosh operators depending on OSB input data received during service provisionning or unprovisionning

Proposal:

Given a user input provided by coab as coab-vars.yml in #29

---
deployment_name: "c_aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
instance_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
service_id: "service_definition_id"
plan_id: "smallguid123455"
context:
  platform: "cloudfoundry"
  user_guid: "user_guid1"
  space_guid: "space_guid1"
  organization_guid: "org_guid1"
parameters:
  cacheRatio: 0.8642
  cacheSizeMb: 10
  slowQuery: false
  roadmin: true
previous_values:
  plan_id: "previous_plan_guid"

and a service model with files ending with a suffix matching the -when-<property-path>-equals-<property-value> where

<property-path> designates the path to a key within the coab-vars.yml structure. Supported path include toplevel properties such as plan_id, or parameters top level keys such as parameters.roadmin
<property-value> represents a value to match as string case insensitive litteral such as true or 0.8642

$ tree coab-depls/cloudfoundry-mysql/

coab-depls/cloudfoundry-mysql/
|-- deployment-dependencies.yml
`-- template
    |-- 03-add-roadmin-operators.yml-when-parameters.roadmin-equals-true -> ./cf-mysql-deployment/operations/add-roadmin.yml
    |-- 07-service-plan-small-operators.yml-when-planid-equals-smallguid123455 -> ./cf-mysql-deployment/operations/add-read-write-admin.yml
    |-- 08-kubernetes-binding-format-operators.yml-when-context.platform-equals-kubernetes
    |-- 08-cloudfoundry-binding-format-operators.yml-when-context.platform-equals-cloudfoundry
    |-- 10-enable-syslog-operators.yml -> ./cf-mysql-deployment/operations/enable-syslog.yml
    |-- cloudfoundry-mysql-vars-tpl.yml
    `-- 99-cloudfoundry-mysql.yml -> ./cf-mysql-deployment/cf-mysql-deployment.yml

then coab would generate conditionnally include the operators files depending on their matching of coab-vars.yml (while preserving systematic inclusion of other operators), resulting in the following coab bosh template directory

$ tree coab-depls/c_1c7d3610-6223-4d45-bc76-f027457a1253

c_1c7d3610-6223-4d45-bc76-f027457a1253/
|-- deployment-dependencies.yml
`-- template
    |-- 03-add-roadmin-operators.yml-> ../../cloudfoundry-mysql/template/03-add-roadmin-operators.yml-when-parameters.roadmin-equals-true
    |-- 07-service-plan-small-operators.yml -> ../../cloudfoundry-mysql/template/07-service-plan-small-operators.yml-when-planid-equals-smallguid123455
    |-- 08-cloudfoundry-binding-format-operators.yml -> ../../cloudfoundry-mysql/template/08-cloudfoundry-binding-format-operators.yml-when-context.platform-equals-cloudfoundry
    |-- 10-enable-syslog-operators.yml -> ./cf-mysql-deployment/operations/enable-syslog.yml -> ../../cloudfoundry-mysql/template/10-enable-syslog-operators.yml
    |-- cloudfoundry-mysql-vars-tpl.yml  -> ../../cloudfoundry-mysql/template/cloudfoundry-mysql-vars-tpl.yml
    `-- 99-cloudfoundry-mysql.yml -> ../../cloudfoundry-mysql/template/99-cloudfoundry-mysql.yml

In order to avoid the feature being used to bypass security, the following restrictions are imposed

the <property-path> only supports basic path designation
the <property-value> only supports exact string case insensitive matches.

In the future, we might consider additional matcher syntaxes such as -when<property-path>-isdefined (e.g. -when-previous_values.plan_id-isdefined to conditionally include operator only during service plan update)

Service plan and params support

As a service author, in order to support arbitrary params in my service, I need to receive content of arbitrary params in a format by bosh deployment can leverage.

Proposed solution: the coab-vars.yml file contains the open service broker api standardized input for both service provisionning and update.

---
deployment_name: "c_aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
instance_id: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa0"
service_id: "service_definition_id"
plan_id: "plan_guid"
context:
  platform: "cloudfoundry"
  user_guid: "user_guid1"
  space_guid: "space_guid1"
  organization_guid: "org_guid1"
parameters:
  cacheRatio: 0.8642
  cacheSizeMb: 10
  slowQuery: false
previous_values:
  plan_id: "previous_plan_guid"

Service authors can test in their models various content of the coab-vars.yml which will be safely ignored by COAB

To maintain security, Input validation is applied on the name and value of arbitrary params to prevent various injections (such as reading from credhub, spruce, file system injection, yml loading or reference expansions), and only alphabetical characters, numbers are supported

Out of scope: implement the GET endpoints.

Integrate whitesourcesoftware security scans

https://whitesource.atlassian.net/wiki/spaces/WD/pages/176717962/CircleCI+Integration

likely need to use circle ci variable with the corresponding branch name to map to the corresponding WSS product name https://github.com/orange-cloudfoundry/cf-ops-automation-broker_mysql_${branch_name}
need to clarify content of the config file https://whitesource.atlassian.net/wiki/spaces/WD/pages/33718339/Unified+Agent#UnifiedAgent-CommandLineParameters

springboot & OSB bump (security + OSB 2.14 support)

We need to upgrade to spring-cloud-open-service-broker on which we are late, as well as springboot 2.0

Benefits:

support for OSB specs 2.13 and soon 2.14 (async bindings spring-cloud/spring-cloud-open-service-broker#66)
security fixes in springboot and its dependency tree
bump to Spring Boot 2.x
- https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide
bump to spring-cloud-open-service-broker 2.0
- https://docs.spring.io/spring-cloud-open-service-broker/docs/2.0.0.RELEASE/reference/html5/
- https://github.com/spring-cloud/spring-cloud-open-service-broker
- https://github.com/spring-cloud/spring-cloud-open-service-broker/wiki/2.0-Migration-Guide
  - Compatibility
    - Spring Framework 5.x
    - Spring Boot 2.x
    - Open Service Broker API 2.13

CVE-2016-1000344 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000344 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Publish Date: 2018-06-04

URL: CVE-2016-1000344

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344

Release Date: 2018-06-04

Fix Resolution: 1.56

Step up your Open Source Security Game with WhiteSource here

CVE-2016-1000340 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2016-1000340 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

Publish Date: 2018-06-04

URL: CVE-2016-1000340

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@7906420#diff-e5934feac8203ca0104ab291a3560a31

Release Date: 2016-11-29

Fix Resolution: Replace or update the following files: Nat160.java, Nat256.java, Nat192.java, SecP256R1FieldTest.java, Nat128.java, Nat224.java, SecP384R1FieldTest.java

Step up your Open Source Security Game with WhiteSource here

support service broker catalog auto-configuration

CVE-2018-1000613 (High) detected in bcprov-jdk15on-1.55.jar

CVE-2018-1000613 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.55.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /cf-ops-automation-broker/cf-ops-automation-broker-core/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar

Dependency Hierarchy:

spring-cloud-starter-openfeign-1.4.3.RELEASE.jar (Root Library)
- spring-cloud-starter-1.3.2.RELEASE.jar
  - spring-security-rsa-1.0.3.RELEASE.jar
    - bcpkix-jdk15on-1.55.jar
      - ❌ bcprov-jdk15on-1.55.jar (Vulnerable Library)

Found in HEAD commit: 91b3418fbbc1705f3c1de58bef6178cbc7234a25

Vulnerability Details

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Publish Date: 2018-07-09

URL: CVE-2018-1000613

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000613

Release Date: 2018-07-09

Fix Resolution: 1.60

Step up your Open Source Security Game with WhiteSource here

orange-cloudfoundry / cf-ops-automation-broker Goto Github PK

cf-ops-automation-broker's People

Contributors

Stargazers

Watchers

cf-ops-automation-broker's Issues

CVE-2015-4852 - High Severity Vulnerability

CVE-2018-1000180 - High Severity Vulnerability

CVE-2016-1000343 - High Severity Vulnerability

CVE-2016-1000346 - Low Severity Vulnerability

CVE-2015-6420 - High Severity Vulnerability

CVE-2014-3558 - Medium Severity Vulnerability

Current situation:

Suggested situation

WS-2009-0001 - Low Severity Vulnerability

Requirements

version update

plan and param update

Desired binding

Resulting binding credentials

Pending design issues:

CVE-2016-1000345 - Medium Severity Vulnerability

CVE-2016-1000341 - Medium Severity Vulnerability

CVE-2016-1000342 - High Severity Vulnerability

CVE-2015-7501 - High Severity Vulnerability

CVE-2016-1000338 - High Severity Vulnerability

CVE-2016-1000352 - High Severity Vulnerability

CVE-2016-1000339 - Medium Severity Vulnerability

CVE-2018-10237 - Medium Severity Vulnerability

CVE-2017-15708 - High Severity Vulnerability

CVE-2016-1000344 - High Severity Vulnerability

CVE-2016-1000340 - High Severity Vulnerability

CVE-2018-1000613 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org