Skip to content

Security: lmco/mms3-adapter-plugin

Security

SECURITY.md

MMS Adapter Security

Contents

Reporting Security Vulnerabilities

If a security related issue is identified in the open source version MCF, please email [email protected]. This will notify the Lockheed Martin MBEE Software Engineering team of the issue.

When disclosing a vulnerability, please provide the following information:

  • Server information: any environment details that can be provided about the instance of MCF on which the vulnerability was identified on.
  • The MCF version (can be retrieved from the MCF /about page)
  • The MMS Adapter Plugin version
  • Whether or not the original source code has been modified. Details about any modifications can be helpful, if that information can be provided.
  • A detailed description of the issue (the more detail, the better) so our team can quickly reproduce the issue.
  • Organization(s) impacted/affected.

Disclosure and Security Update Policy

If and when security-related updates are made to the MMS Adapter Plugin, refer to CHANGELOG.md for instructions on how to mitigate the issue.

Known Gaps and Issues

PDF Export

PrincePDF is used to generate PDFs. The MMS Adapter plugin receives html from the View Editor application which historically has included links to retrieve artifacts from MMS with an alf_ticket included. MMS would then send the html to Prince. The issue arises with the handling of the alf_ticket in the MMS Adapter Plugin. Because the intention was to avoid using Alfresco while maintaining backwards API compatibility, we kept support for the alf_ticket query parameter but re-purposed it into a bearer token. When sending html to Prince for PDF generation, we currently create a new bearer token with an expiry time of 24 hours, because of reports that the generation can take exceptionally long periods of time for exceptionally large models. Currently there is no way to destroy or invalidate a bearer token in the MCF backend once it is created, meaning this token will continue to exist regardless of how soon the PDF generation is finished. In a future release of MCF, we plan to implement a way for admins to manage, i.e. view and destroy, all currently active bearer tokens. Until then, this plugin will generate an indestructible 24hr token every time a PDF generation is requested.

PDF Email

Intended to leverage an SMTP relay. Currently no TLS/SSL support.

There aren’t any published security advisories