Rjkgneroigndsioglkope Vioenfwesg SDNSGDHFN Sdfkjwensfdio

Ericsson Internal
PRODUCT REVISION INFORMATION 1 (23)

Prepared (also subject responsible if other) No.
Lise Giordano 109 21-CSH 109 779/3 Uen M

Approved Checked Date Rev Reference
Ann Marie Colasurdo 2023-09-13 M
CTS/ESD Drop 2023.8

Contents
1 Reason for Revision .................................................................... 3
2 Technical Solution ....................................................................... 3
2.1 Implemented Requirements ............................................. 3
2.2 Impact on Users: Abrupt NBC .......................................... 5
2.2.1 Impact on Users: NBC (Deprecation Ended) .................... 7
2.3 Corrected Trouble Reports ............................................... 7
2.4 Corrected Vulnerability Trouble Reports ........................... 8
2.5 Restrictions and Limitations ............................................ 11
2.5.1 Open Trouble Reports .................................................... 11
2.5.2 Open Vulnerability Trouble Reports ................................ 12
2.5.3 Features Not Ready for Commercial Use ....................... 19
3 Product Deliverables ................................................................. 21
3.1 Software Products .......................................................... 21
3.2 Related Documents ........................................................ 22
4 Deployment Information ............................................................ 22
5 Support ....................................................................................... 23
6 References ................................................................................. 23
Ericsson Internal

Revision History
Revision Date Reason for Revision
M 2023-09-13 Updated for drop 2023.8

Ericsson Internal

1 Reason for Revision

CTS/ESD Drop 2023.8 has been uploaded to the ARM Artifactory
(19.2.0-338) found here:
https://arm.seli.gic.ericsson.se/artifactory/proj-bdgsbet-staging-
local/com/ericsson/19.2.0-338/
Note: For installation instructions, see “Deployment Information.”
2 Technical Solution
2.1 Implemented Requirements
All implemented requirements in this section have Feature Maturity

Stable. Requirements with Feature Maturity lower than Stable are listed
in “Features Not Ready for Commercial Use.”
For CTS/ESD, implemented requirements are also known as Near PRA
Quality. Near PRA Quality means development and testing is completed
and ready for use in Customer Labs before CTS/ESD reaches PRA.
The following table lists the requirements currently implemented in this

drop.
REQUIREMENT
DESCRIPTION
ID (MR/JIRA ID)
DEAI-4788 Retain Unused Resources

ESD TOSCA Onboarding and provisioning
capabilities were enhanced to introduce better
control on the deletion of potentially shared
resources and child services when they are not
required for a given and other services. Now
TOSCA template authors can decide if such
shareable resources or child services should
remain in the topology/network for potential future
reuse, when not consumed by a given and any
existing or planned services.
The new feature can be enabled in TOSCA service
templates by setting “retainUnused” property of
Node Template NodePolicy.
Ericsson Internal

DEAI-4788 Notes:
(Continued)
• Child services modification scenarios are not
supported in this feature. For more information,
see “Impact on Users: Abrupt NBC.”
• For “Add/Delete Retained Unused Services”,

see “Features Not Ready for Commercial Use”,
DEAI-6869.
DEAI-7240 Support the EnterpriseDB (EDB) for ESOA CTS

- Phase 1
CTS as part of ESOA product can now be installed
with using external EnterpriseDB service for
persistence. ESOA CTS installation now supports
two primary options:
• installation proceeds with pre-created
DATABASE and SCHEMA objects in
EnterpriseDB instance.
• automatic creation and initialization of
DATABASE and SCHEMA objects in
EnterpriseDB by CTS the installation.
DEAI-7293 CTM Wireless & Service Model Update

The feature introduces enhancements to the
Common Topology models to better support SO-A
product identified use cases. These enhancements
include:
• Adding new abstract classes
• Modifying object class hierarchy for the
networkSlice and networkSliceSubnet objects
• Adding new associations
Ericsson Internal

2.2 Impact on Users: Abrupt NBC
FEATURE ID/
INFORMATION
JIRA ID
DEAI-4788, EAIP-427 In this drop, CTS provides changes related to the

DEAI-6869 “Retain unused resources” feature (DEAI-4788)
and the “Retain Unused Services - Add/Delete“
feature (DEAI-6898) in support of ESOA’s feature
of “Delete when not consumed.”
Prior to this feature, all resources/child services

represented as “Node Templates” in TOSCA
templates with the directives of:
• “[ select, instantiate ]” for resources
and
• “[ select_service, substitute ]” for
services
were considered as shared resources/services.

When the services using these shared
resources/child services were deleted, the
resources/child services were retained (not
deleted) in case they might be needed for future
services.
With the introduction of the “Retain unused

resources” feature, these shared
resources/services are deleted when the
consuming resource/service is being deleted, as
long as there are no other services consuming
these resources/child services. While this change
is considered non-backwards compatible, it was
requested by the user community.
However, the new feature does not yet fully

support modification of hierarchical services. In
such cases, there might be undesired side effects.
Ericsson Internal

Therefore, to avoid these undesired side effects,

customers are advised to update their TOSCA
templates for Node Templates that have the
directives of “[ select, instantiate ]” for
resources and “[ select_service, substitute
]” for services.
The following updates turn on the “old behavior”.

Procedure
1. Modify common-topology-types.yaml by
adding the red text shown below, to
topology.policies.NodePolicy
properties:
topology.policies.NodePolicy:
derived_from: tosca.policies.Root
properties:
retainUnused:
type: boolean
required: false
2. Add the following policy to TOSCA templates
that have Node Templates with
“[ select, instantiate }” directive for
resources, and “[ select_service,
substitute ]” directive for services.
Add a “policies” section if it is not present in
your current TOSCA templates as shown in
red text below:
policies:
retainSharedNodesPolicy:
type: topology.policies.NodePolicy
targets: [ <comma-separated list of
Node Templates ]
properties:
retainUnused: true
Ericsson Internal

2.2.1 Impact on Users: NBC (Deprecation Ended)
2.3 Corrected Trouble Reports
The following table lists the corrected Trouble Reports described in JIRA
and in this drop.
TR ID TR HEADING
EAIP-403 ESOA-When hierarchical child template is

onboarded with a new version, parent template is not
able to find it without a pod restart
EAIP-412 IDUN - Compliance with ADP Service Mesh Design

Rules
EAIP-414 Telstra AWS - ST node template [ select, instantiate ]

with multiple requirements, select not finding objects
EAIP-422 IDUN - CTS eric-product-info.yaml is not filled

properly for eric-artemis-cert-manager
EAIP-423 IDUN CTS pod restarts happen during EIC upgrade
EAIP-427 ESOA - Subsystem reference can not be found in the

resource.
Non-consumed child service is not deleted after
DELETE/Complete (retainUnused=false).
Ericsson Internal

2.4 Corrected Vulnerability Trouble Reports
The following table lists the corrected Vulnerability Trouble Reports in this
drop.
Vulnerability ID(s) Vulnerability Description
CVE-2018-1000518 aaugustin websockets version 4 contains a

CWE-409: Improper Handling of Highly
Compressed Data (Data Amplification)
vulnerability in Servers and clients, unless
configured with compression=None that can
result in Denial of Service by memory
exhaustion. This attack appear to be exploitable
via Sending a specially crafted frame on an
established connection.
CVE-2020-8908 A temp directory creation vulnerability exists in

all versions of Guava, allowing an attacker with
access to the machine to potentially access data
in a temporary directory created by the Guava
API
com.google.common.io.Files.createTempDir().
By default, on unix-like systems, the created
directory is world-readable (readable by an
attacker with access to the system). The method
in question has been marked @Deprecated in
versions 30.0 and later and should not be used.
For Android developers, we recommend
choosing a temporary directory API provided by
Android, such as context.getCacheDir(). For
other Java developers, we recommend
migrating to the Java 7 API
java.nio.file.Files.createTempDirectory() which
explicitly configures permissions of 700, or
configuring the Java runtime's java.io.tmpdir
system property to point to a location whose
permissions are appropriately configured.
CVE-2020-25659 python-cryptography 3.2 is vulnerable to

Bleichenbacher timing attacks in the RSA
decryption API, via timed processing of valid
PKCS#1 v1.5 ciphertext.
Ericsson Internal

CVE-2020-36242 In the cryptography package before 3.3.2 for

Python, certain sequences of update calls to
symmetrically encrypt multi-GB values could
result in an integer overflow and buffer overflow,
as demonstrated by the Fernet class.
CVE-2021-22569 An issue in protobuf-java allowed the
interleaving of
com.google.protobuf.UnknownFieldSet fields in
such a way that would be processed out of
order. A small malicious payload can occupy the
parser for several minutes by creating large
numbers of short-lived objects that cause
frequent, repeated pauses. We recommend
upgrading libraries beyond the vulnerable
versions.
CVE-2021-22570 Nullptr dereference when a null char is present
in a proto symbol. The symbol is parsed
incorrectly, leading to an unchecked call into the
proto file's name during generation of the
resulting error message. Since the symbol is
incorrectly parsed, the file is nullptr. We
recommend upgrading to version 3.15.0 or
greater.
CVE-2021-46877 jackson-databind 2.10.x through 2.12.x before
2.12.6 and 2.13.x before 2.13.1 allows attackers
to cause a denial of service (2 GB transient
heap usage per read) in uncommon situations
involving JsonNode JDK serialization.
CVE-2022-1941 A parsing vulnerability for the MessageSet type
in the ProtocolBuffers versions prior to and
including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1
and 3.21.5 for protobuf-cpp, and versions prior
to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4,
3.20.1 and 4.21.5 for protobuf-python can lead
to out of memory failures. A specially crafted
message with multiple key-value per elements
creates parsing issues, and can lead to a Denial
of Service against services receiving
unsanitized input. We recommend upgrading to
versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for
protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6
for protobuf-python. Versions for 3.16 and 3.17
are no longer updated.
Ericsson Internal

CVE-2022-3171 A parsing issue with binary data in protobuf-java

core and lite versions prior to 3.21.7, 3.20.3,
3.19.6 and 3.16.3 can lead to a denial of service
attack. Inputs containing multiple instances of
non-repeated embedded messages with
repeated or unknown fields causes objects to be
converted back-n-forth between mutable and
immutable forms, resulting in potentially long
garbage collection pauses. We recommend
updating to the versions mentioned above.
CVE-2023-1436 A flaw was found in Jettison. Infinite recursion is

triggered in Jettison when constructing a
JSONArray from a Collection that contains a
self-reference in one of its elements. This issue
leads to a StackOverflowError exception being
thrown.
CVE-2023-2976 Use of Java's default temporary directory for file
creation in `FileBackedOutputStream` in Google
Guava versions 1.0 to 31.1 on Unix systems
and Android Ice Cream Sandwich allows other
users and apps on the machine with access to
the default Java temporary directory to be able
to access the files created by the class. Even
though the security vulnerability is fixed in
version 32.0.0, we recommend using version
32.0.1 as version 32.0.0 breaks some
functionality under Windows.
CVE-2023-3223 A flaw was found in undertow. Servlets
annotated with @MultipartConfig may cause an
OutOfMemoryError due to large multipart
content. This may allow unauthorized users to
cause remote Denial of Service (DoS) attack. If
the server uses fileSizeThreshold to limit the file
size, it's possible to bypass the limit by setting
the file name in the request to null.
CVE-2023-3635 A flaw was found in SquareUp Okio. A class

GzipSource does not handle an exception that
might be raised when parsing a malformed gzip
buffer. This issue may allow a malicious user to
start processing a malformed file, which can
result in a Denial of Service (DoS).
Ericsson Internal

2.5 Restrictions and Limitations
2.5.1 Open Trouble Reports
The following table lists the Trouble Reports currently open.
TR ID TR Heading
EAIP-356 401 error received during the first authorization on

environment with Service Mesh.
Note: Testing for this TR is in progress.
EAIP-420 IDUN - eric-oss-cmn-topology-svc-core: scraping
metrics failure when TLS is enabled
TREAI-8440 YAML to HTML conversion failing. Produces empty

OAS files.
Note: The CTS REST API Documentation (OpenAPI
specification files) to be updated when it becomes
available.
To retrieve the CTS REST API Documentation from

drop 2023.7.0, see 2023.7.0 in ADP Marketplace.
As a workaround, the following 2023.8.0 YAML files
are posted to ARM for your convenience:
• eric-oss-cmn-topology-svc-core-
admin-v1.0.0-alpha.oas.yaml.zip
datasynchronization-v1.0.0-
alpha.oas.yaml.zip
identifiermanagement-v1.0.0-
alpha.oas.yaml.zip
nonversioned.oas.yaml.zip
resourcetopology-v1.0.0-alpha.oas.yaml.zip
Ericsson Internal

2.5.2 Open Vulnerability Trouble Reports
The following table lists the Vulnerability Trouble Reports currently open.
Vulnerability ID(s) Vulnerability Description
CVE-2022-45688 A stack overflow in the XML.toJSONObject

component of hutool-json v5.8.10 allows
attackers to cause a Denial of Service (DoS) via
crafted JSON or XML data.
CVE-2023-22006 Vulnerability in the Oracle Java SE, Oracle

GraalVM Enterprise Edition, Oracle GraalVM for
JDK product of Oracle Java SE (component:
Networking). Supported versions that are
affected are Oracle Java SE: 11.0.19, 17.0.7,
20.0.1; Oracle GraalVM Enterprise Edition:
20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for
JDK: 17.0.7 and 20.0.1. Difficult to exploit
vulnerability allows unauthenticated attacker
with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM
Enterprise Edition, Oracle GraalVM for JDK.
Successful attacks require human interaction
from a person other than the attacker.
Successful attacks of this vulnerability can result
in unauthorized update, insert or delete access
to some of Oracle Java SE, Oracle GraalVM
Enterprise Edition, Oracle GraalVM for JDK
accessible data. Note: This vulnerability applies
to Java deployments, typically in clients running
sandboxed Java Web Start applications or
sandboxed Java applets, that load and run
untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for
security. This vulnerability does not apply to
Java deployments, typically in servers, that load
and run only trusted code (e.g., code installed
by an administrator). CVSS 3.1 Base Score 3.1
(Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A
:N).
Ericsson Internal


Utility). Supported versions that are affected are
Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle
GraalVM Enterprise Edition: 20.3.10, 21.3.6,
22.3.2; Oracle GraalVM for JDK: 17.0.7 and
20.0.1. Difficult to exploit vulnerability allows
unauthenticated attacker with network access
via multiple protocols to compromise Oracle
Java SE, Oracle GraalVM Enterprise Edition,
Oracle GraalVM for JDK. Successful attacks of
this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial
DOS) of Oracle Java SE, Oracle GraalVM
Note: This vulnerability can be exploited by
using APIs in the specified Component, e.g.,
through a web service which supplies data to
the APIs. This vulnerability also applies to Java
deployments, typically in clients running
security. CVSS 3.1 Base Score 3.7 (Availability
impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A
:L).

Hotspot). Supported versions that are affected
are Oracle Java SE: 8u371-perf, 11.0.19,
17.0.7, 20.0.1; Oracle GraalVM Enterprise
Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM
for JDK: 17.0.7 and 20.0.1. Difficult to exploit
with logon to the infrastructure where Oracle
Oracle GraalVM for JDK executes to
compromise Oracle Java SE, Oracle GraalVM
Successful attacks of this vulnerability can result
Ericsson Internal

in unauthorized access to critical data or

complete access to all Oracle Java SE, Oracle
JDK accessible data. Note: This vulnerability
applies to Java deployments, typically in clients
running sandboxed Java Web Start applications
or sandboxed Java applets, that load and run
(Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A
:N).
CVE-2023-22043 Vulnerability in Oracle Java SE (component:

JavaFX). The supported version that is affected
is Oracle Java SE: 8u371. Difficult to exploit
with network access via multiple protocols to
compromise Oracle Java SE. Successful
attacks of this vulnerability can result in
unauthorized creation, deletion or modification
access to critical data or all Oracle Java SE
accessible data. Note: This vulnerability applies
to Java deployments, typically in clients running
(Integrity impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A
:N).

are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1;
Oracle GraalVM Enterprise Edition: 21.3.6,
Ericsson Internal

22.3.2; Oracle GraalVM for JDK: 17.0.7 and

20.0.1. Difficult to exploit vulnerability allows
this vulnerability can result in unauthorized read
access to a subset of Oracle Java SE, Oracle
JDK accessible data. Note: This vulnerability
can be exploited by using APIs in the specified
Component, e.g., through a web service which
supplies data to the APIs. This vulnerability also
applies to Java deployments, typically in clients
running sandboxed Java Web Start applications
or sandboxed Java applets, that load and run
security. CVSS 3.1 Base Score 3.7
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A
:N).

are Oracle Java SE: 8u371, 8u371-perf,
11.0.19, 17.0.7, 20.0.1; Oracle GraalVM
Enterprise Edition: 20.3.10, 21.3.6, 22.3.2;
Oracle GraalVM for JDK: 17.0.7 and 20.0.1.
Difficult to exploit vulnerability allows
this vulnerability can result in unauthorized read
access to a subset of Oracle Java SE, Oracle
JDK accessible data.
Note: This vulnerability can be exploited by
using APIs in the specified Component, e.g.,
Ericsson Internal


security. CVSS 3.1 Base Score 3.7
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A
:N).

Libraries). Supported versions that are affected
are Oracle Java SE: 8u371, 8u371-perf,
11.0.19, 17.0.7, 20.0.1; Oracle GraalVM
Enterprise Edition: 20.3.10, 21.3.6, 22.3.2;
Oracle GraalVM for JDK: 17.0.7 and 20.0.1.
Difficult to exploit vulnerability allows
this vulnerability can result in unauthorized
update, insert or delete access to some of
Oracle Java SE, Oracle GraalVM Enterprise
Edition, Oracle GraalVM for JDK accessible
data. Note: This vulnerability can be exploited
by using APIs in the specified Component, e.g.,
security. CVSS 3.1 Base Score 3.7 (Integrity
impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A
:N).
CVE-2023-25193 hb-ot-layout-gsubgpos.hh in HarfBuzz through

6.0.0 allows attackers to trigger O(n^2) growth
via consecutive marks during the process of
looking back for base glyphs when attaching
marks.
Ericsson Internal

CVE-2023-34462 Netty is an asynchronous event-driven network

application framework for rapid development of
maintainable high performance protocol servers
& clients. The `SniHandler` can allocate up to
16MB of heap for each channel during the TLS
handshake. When the handler or the channel
does not have an idle timeout, it can be used to
make a TCP server using the `SniHandler` to
allocate 16MB of heap. The `SniHandler` class
is a handler that waits for the TLS handshake to
configure a `SslHandler` according to the
indicated server name by the `ClientHello`
record. For this matter it allocates a `ByteBuf`
using the value defined in the `ClientHello`
record. Normally the value of the packet should
be smaller than the handshake packet but there
are not checks done here and the way the code
is written, it is possible to craft a packet that
makes the `SslClientHelloHandler`. This
vulnerability has been fixed in version
4.1.94.Final.
CVE-2023-36054 SUSE has released an update that fixes 1

vulnerability in krb5.
Affected products:
openSUSE Leap Micro 5.4
openSUSE Leap Micro 5.3
openSUSE Leap 15.4
SUSE Linux Enterprise Module for Server
Applications 15 SP4
SUSE Linux Enterprise Module for Basesystem
15 SP4
SUSE Linux Enterprise Micro 5.4
SUSE Linux Enterprise Micro 5.3
ERI-2023-204072 SUSE has released an update that fixes 0

vulnerabilities in ca-certificates-mozilla.
Ericsson Internal

XRAY-87486 Apache Commons contains a flaw that is due to

the Base32 codec decoding invalid strings
instead of rejecting them. This may allow a
remote attacker to tunnel additional information
via a base 32 string that seems valid.
XRAY-178988 WildFly Elytron

mechanism/scram/src/main/java/org/wildfly/secu
rity/mechanism/scram/ScramServer.java
Insecure Simple Byte Comparison Timing Attack
Message Nonce Disclosure Weakness
WildFly Elytron contains a flaw in
mechanism/scram/src/main/java/org/wildfly/secu
rity/mechanism/scram/ScramServer.java that is
triggered as it uses simple byte comparison for
the nonce which insecurely returns on the first
mismatch. This may allow a remote attacker to
conduct a timing attack and potentially disclose
the message nonce.
XRAY-198432 Wildfly Common (wildfly-common) contains an

XXE (Xml eXternal Entity) injection flaw in
javax.xml.parsers.DocumentBuilderFactory and
javax.xml.stream.XMLInputFactory that is
triggered during the parsing of XML data. The
issue is due to an incorrectly configured XML
parser accepting XML external entities from an
untrusted source. By sending specially crafted
XML data, a remote attacker can potentially
consume excessive system resources or
disclose sensitive information.
XRAY-203549 Apache Lucene contains a flaw in the

Operations class in
lucene/core/src/java/org/apache/lucene/util/auto
maton/Operations.java that is triggered when
handling regular expressions in a query. This
may allow a remote attacker to consume
excessive CPU resources and potentially cause
a denial of service.
Ericsson Internal

2.5.3 Features Not Ready for Commercial Use
The following table lists the included features that are not yet ready for
commercial use (also known as Technology Preview MRs). These
features should not be used in any commercial or otherwise sensitive
deployment unless a proper risk analysis has been performed as their
function is not yet final. These MRs can be used for co-development and/or
testing.
REQUIREMENT
DESCRIPTION
ID (MR/JIRA ID)
DEAI-6869 Retain Unused Services - Add/Delete
In this CTS drop, ESD TOSCA Onboarding and
provisioning capabilities were enhanced to introduce
better control on the deletion of potentially shared
resources and child services when they are not
required for a given and other services. Now TOSCA
template authors can decide if such shareable
resources or child services should remain in the
topology/network for potential future reuse, when not
consumed by a given and any existing or planned
services.
The new feature can be enabled in TOSCA service
templates by setting “retainUnused” property of
Node Template NodePolicy.
Notes:
• Child services modification scenarios are not
supported in this feature. For more information,
see “Impact on Users: Abrupt NBC.
• For “Retain Unused Resources”, see

“Implemented Requirements”, DEAI-4788.
Ericsson Internal

DEAI-7354 Introduction of Graceful Shutdown and

Resource Parameters (High Availability (HA)
Enhancements) for Common Topology Service
CTS Core and Artemis Microservices are enhanced
to support Pre-stop life cycle hook along with
required Graceful Termination Timeout to support
graceful shutdown.
CTS Core and Artemis Microservices are also
enhanced with defining resource profile with request
and limits on CPU and RAM resources.
DEAI-7614 Improved Error Messages for Artemis

Connection Issues
CTS restful login APIs should distinguish http error
codes from 401 (login error) v/s 503 (service not
available error). CTS UI is not impacted with this
change as CTS UI received exact exception not http
error code.
Client calls that execute restful API for login should
implement retry login upon receiving 503 (service
not available) error code.
DEAI-7808 [EAIP-411] IDUN -- Deprecate the host in favour
of gas host in CTS
Migrating to gas host. Currently, gas host is optional,
and the host is the default.
Now gas host is going to become the "main" used
host, and the host is going to be an optional (by
default turned off) legacy backward-compatible host.
Ericsson Internal

3 Product Deliverables
3.1 Software Products
The following table shows the software products in this drop.
Product
Name File Name
Type
eric-oss-common-
Common Topology Service
HELM chart topology-svc-19.2.0-
HELM 19.2.0-338
338.tgz
Docker Common Topology Service eric-oss-cmn-topology-

image Core 19.2.0-338 svc-core.tgz
Docker JMS Service AMQ 19.2.0-

eric-oss-jms-svc-amq.tgz
image 338
JMS Service AMQ

Docker eric-oss-jms-svc-amq-
Certificate Manager 19.2.0-
image cm.tgz
338
Topology Troubleshooting
eric-oss-topo-trouble-
HELM chart and Management UI HELM
mngmt-ui-19.2.0-338.tgz
19.2.0-338
Topology Troubleshooting
Docker eric-oss-topo-trouble-
and Management UI
image mngmt-ui.tgz
19.2.0-338
Ericsson Internal

3.2 Related Documents
CTS documentation posted on EriDoc can be accessed via the ADP

Marketplace - Common Topology Service Core Documentation.
Final documents in this drop cover all Feature Maturity Stable
requirements through Drop 2023.8. For any documents not finalized, you
can access those from the Version menu under “In Development”.
The following documents are delivered with this drop:
• Common Topology Model Guide
• Common Topology Service API Guide
• Common Topology Service Data Synchronization API Guide *
• Common Topology Service Designer TOSCA Guide
• Common Topology Data Dictionary Guide
• Common Topology Data Dictionary (Compressed file)
• CTS REST API Documentation (Compressed file includes all REST
OpenAPI Specification files - Total 5 files) **
• Topology Troubleshooting and Management User Guide
• Topology Troubleshooting and Management Administration Guide
• Ericsson Adaptive Inventory DataSync Guide
• Ericsson Adaptive Inventory Service Designer Guide
* The Common Topology Service Data Synchronization API Guide

has been updated to reflect the required changes from
DEAI-7209 (EAIP-319) (IDUN - FiveQiSet delete fail with
Uniqueness Validation error - Improved Processing of Create and
Delete Actions in DataSync).
** The CTS REST API Documentation (OpenAPI specification files) to
be updated when it becomes available. For more information and a
workaround, see TREAI-8440 in “Open Trouble Reports.”
4 Deployment Information
To help support the installation of this drop, a PDF has been added to the
ARM with notes on how to install CTS (CTS_Installation_Instructions-
2023.8.pdf). This is being provided as examples and guidance for this drop
and does not constitute official documentation.
Ericsson Internal

5 Support
In case of a problem with the product, create a Customer Service Request
(CSR).
To create a CSR:
1. Follow the link and log in to Jira.
2. Click the Create button in the top toolbar. The Create Issue window
opens.
3. In the Project field, select “Ericsson Adaptive Inventory (EAI)”.
4. Complete all required fields and provide any additional information, if
necessary.
5. Click the Create button. The system creates a new CSR.
6 References
[1] Marketplace: https://adp.ericsson.se/marketplace
[2] CSRs:
https://jira-
oss.seli.wh.rnd.internal.ericsson.com/secure/Dashboard.jspa

Rjkgneroigndsioglkope Vioenfwesg SDNSGDHFN Sdfkjwensfdio

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rjkgneroigndsioglkope Vioenfwesg SDNSGDHFN Sdfkjwensfdio

Uploaded by

Copyright:

Available Formats

Ericsson Internal

PRODUCT REVISION INFORMATION 1 (23)

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

CTS/ESD Drop 2023.8

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

Revision Date Reason for Revision

M 2023-09-13 Updated for drop 2023.8

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

1 Reason for Revision

Note: For installation instructions, see “Deployment Information.”

2.1 Implemented Requirements

All implemented requirements in this section have Feature Maturity

The following table lists the requirements currently implemented in this

DEAI-4788 Retain Unused Resources

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

• For “Add/Delete Retained Unused Services”,

DEAI-7240 Support the EnterpriseDB (EDB) for ESOA CTS

DEAI-7293 CTM Wireless & Service Model Update

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

2.2 Impact on Users: Abrupt NBC

DEAI-4788, EAIP-427 In this drop, CTS provides changes related to the

Prior to this feature, all resources/child services

were considered as shared resources/services.

With the introduction of the “Retain unused

However, the new feature does not yet fully

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

Therefore, to avoid these undesired side effects,

The following updates turn on the “old behavior”.

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

2.2.1 Impact on Users: NBC (Deprecation Ended)

2.3 Corrected Trouble Reports

EAIP-403 ESOA-When hierarchical child template is

EAIP-412 IDUN - Compliance with ADP Service Mesh Design

EAIP-414 Telstra AWS - ST node template [ select, instantiate ]

EAIP-422 IDUN - CTS eric-product-info.yaml is not filled

EAIP-423 IDUN CTS pod restarts happen during EIC upgrade

EAIP-427 ESOA - Subsystem reference can not be found in the

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

2.4 Corrected Vulnerability Trouble Reports

Vulnerability ID(s) Vulnerability Description

CVE-2018-1000518 aaugustin websockets version 4 contains a

CVE-2020-8908 A temp directory creation vulnerability exists in

CVE-2020-25659 python-cryptography 3.2 is vulnerable to

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

CVE-2020-36242 In the cryptography package before 3.3.2 for

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

CVE-2022-3171 A parsing issue with binary data in protobuf-java

CVE-2023-1436 A flaw was found in Jettison. Infinite recursion is

CVE-2023-3635 A flaw was found in SquareUp Okio. A class

Lise Giordano 109 21-CSH 109 779/3 Uen M

Ann Marie Colasurdo 2023-09-13 M

2.5 Restrictions and Limitations

2.5.1 Open Trouble Reports