Description
None
Environment
None
Potential Workaround
None
has to be done before
Checklist
hideActivity
Show:
Natalia Zaitseva
made 2 changesSeptember 30, 2024 at 11:32 AM
Link
None
This issue defines UXPROD-4846
Fix versions
None
1.5.7
Natalia Zaitseva
updated the linkSeptember 6, 2024 at 12:14 PMThis issue has to be done before EUREKA-335
None
Julian Ladisch
updated the linkSeptember 5, 2024 at 2:54 PMNone
This issue implements SECURITY-182
Natalia Zaitseva
updated the linkSeptember 5, 2024 at 2:01 PMNone
This issue has to be done before APPPOCTOOL-31
Taras Spashchenko
updated the linkSeptember 2, 2024 at 9:28 AMNone
This issue has to be done before APPPOCTOOL-30
Taras Spashchenko
made 2 changesSeptember 2, 2024 at 6:53 AM
Status
In Progress
Closed
Resolution
None
Done
Taras Spashchenko
changed the statusAugust 29, 2024 at 3:31 PMIn Refinement
In Progress
Taras Spashchenko
made 2 changesAugust 29, 2024 at 9:35 AM
Description
FOLIO software libraries and modules currently disable hostname verification by using a {{NoopHostnameVerifier}}, which poses a critical security vulnerability. This bypass allows SSL/TLS connections to proceed without verifying the service's identity, increasing the risk of server impersonation by an attacker. The affected libraries and modules do not log the bypass nor terminate the connection when a certificate verification fails, contravening the requirements for secure HTTPS communication as per [RFC 9110|https://www.rfc-editor.org/rfc/rfc9110.html#name-https-certificate-verificat].
h4. *Action Required:*
# Replace the use of {{NoopHostnameVerifier}} with a secure hostname verification method that adheres to standard HTTPS certificate validation practices.
# Remove the suppression of the SonarQube warning "Server hostnames should be verified during SSL/TLS connections" and verify compliance through static code analysis tools.
# Use {{jdk.internal.httpclient.disableHostnameVerification}} system property to disable hostname verification as it is implemented in Java's JDK {{HttpClient}},
*HostnameVerifier usage:*
[https://github.com/folio-org/applications-poc-tools/blob/master/folio-backend-common/src/main/java/org/folio/common/utils/FeignClientTlsUtils.java#L66|https://github.com/folio-org/applications-poc-tools/blob/master/folio-backend-common/src/main/java/org/folio/common/utils/FeignClientTlsUtils.java#L66]
[https://github.com/folio-org/applications-poc-tools/blob/master/folio-security/src/main/java/org/folio/security/integration/keycloak/utils/ClientBuildUtils.java#L39|https://github.com/folio-org/applications-poc-tools/blob/master/folio-security/src/main/java/org/folio/security/integration/keycloak/utils/ClientBuildUtils.java#L39]
[https://github.com/folio-org/applications-poc-tools/blob/master/folio-backend-testing/src/main/java/org/folio/test/extensions/impl/KeycloakContainerExtension.java#L110|https://github.com/folio-org/applications-poc-tools/blob/master/folio-backend-testing/src/main/java/org/folio/test/extensions/impl/KeycloakContainerExtension.java#L110]
Labels
back-end eureka-epam eureka-phase6
back-end eureka-epam eureka-phase6 hostname-verifier
Automation for Jira
changed the statusAugust 29, 2024 at 9:26 AMOpen
In Refinement
Taras Spashchenko
created the IssueAugust 29, 2024 at 9:26 AMSomething went wrong on our end
If this keeps happening, share this information with your admin, who should contact support.
Hash 1AKYVIW
Trace 91e8b25342254244bdbb216e409a1a0d
Details
Assignee
Taras SpashchenkoReporter
Taras SpashchenkoPriority
TBDDevelopment Team
EurekaFix versions
TestRail: Cases
Open TestRail: CasesTestRail: Runs
Open TestRail: Runs
Details
Details
Assignee
Reporter
Priority
Development Team
Eureka
Fix versions
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs
TestRail: Cases
TestRail: Runs