OPERA security vulnerabilities

[popenc]

Upgraded to OPERA v2.8, which still throws high to critical level security vulnerabilities when scanning the Docker image with Prisma (cts_kube repo).

Update: new version v2.8.2 is supposed to have security updates. Update to v2.8.2 and test the Prisma scans.

[popenc]

Will try to remove log4j from dependencies and see how that goes.

[popenc]

1. com.fasterxml.jackson.core_jackson-databind
   • Current/vulnerable version: 2.9.8
   • Fixed in: 2.9.10.4+
   • CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2019-20330, CVE-2019-17531, CVE-2019-17267, CVE-2019-16943, CVE-2019-16942, CVE-2019-16335, CVE-2019-14893, CVE-2019-14892, CVE-2019-14540, CVE-2019-14379, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672, CVE-2021-20190, CVE-2020-36189, CVE-2020-36188, CVE-2020-36187, CVE-2020-36186, CVE-2020-36185, CVE-2020-36184, CVE-2020-36183, CVE-2020-36182, CVE-2020-36181, CVE-2020-36180, CVE-2020-36179, CVE-2020-35728, CVE-2020-35491, CVE-2020-35490, CVE-2020-24750, CVE-2020-24616, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-25649, CVE-2019-14439, CVE-2019-12086
2. Java
   • Current/vulnerable version: 1.8.0_202
   • Fixed in: N/A
   • CVE-2019-2699, CVE-2019-2698, CVE-2019-2697, CVE-2019-2602
3. org.apache.xmlgraphics_xmlgraphics-commons
   • Current/vulnerable version: 2.2
   • Fixed in: 2.6+
   • CVE-2020-11988
4. org.apache.cxf_cxf-core
   • Current/vulnerable version: 3.2.14
   • Fixed in: 3.4.3
   • CVE-2021-22696
5. commons-beanutils_commons-beanutils
   • Current/vulnerable version: 1.8.3
   • Fixed in: N/A
   • CVE-2019-10086
6. log4j_log4j
   • Current/vulnerable version: 1.2.15
   • Fixed in: 2.17.2
   • CVE-2019-17571

[popenc]

Updated to OPERA v2.8.4 (Python module). Looks like the above CVEs remain. I'm now going through to see where the above libraries are located.

[popenc]

Added removal of (unused) log4j in Docker image. Should be able to use a fresh build and enable OPERAWS on servers again.

[popenc]

This is now running on GDIT/ceam dev server. I'm getting data back from the example API request, although it took a really long time. Also, since the ceam dev server cannot reach CCTE from outside the EPA network, it's not able to get DTXSID and therefore isn't getting data from the DB, so it always runs the model.

[popenc]

log4j resolutions added to dev and epa staging.

NOTE: If operaws CVEs are still being flagged in Prisma via the Gitlab pipeline, this along with bt_api can be deployed on a separate backend server that goes through the routine manual app scans, which do pass.

[popenc]

Prisma scans working again and added them back to the Gitlab pipeline. It looks like updating to v2.9.1 has resolved the log4j vulnerability but all the rest remain.

15 critical, 39 high, 13 medium, and 18 low.

Main offending libraries:

• com.fasterxml.jackson.core_jackson-databind (v2.9.8, fixed in v2.9.10)
  • This has the majority of vulnerabilities.
• java v1.8.0_202 (no suggested fix version listed)
• org.apache.cxf_cxf-core (v3.2.14, fixed in 3.4.3 and 3.3.10)
• commons-beanutils_commons-beanutils (v1.8.3, no suggested fix version listed)