[FOLIO-2923] Drop --no-check-certificate from wget (Man-in-the-middle attack) Created: 17/Dec/20  Updated: 05/Jan/21  Resolved: 22/Dec/20

Status: Closed
Project: FOLIO
Components: Continuous Integration
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: Julian Ladisch Assignee: David Crossley
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-2926 Deprecate JDK 8 jenkins-slave-all image In Code Review
Sprint: DevOps: Sprint 104
Development Team: FOLIO DevOps

 Description   

Overview:
FOLIO is vulnerable to man-in-the-middle attacks because some software is installed using wget --no-check-certificate. This allows attackers to install malware.

Fix:
Don't use --no-check-certificate command line option when running wget.

Install the ca-certificates package that wget needs for the checks:
apt-get install wget automatically installs the ca-certificates package because wget recommends ca-certificates.
apt-get install --no-install-recommends wget doesn't install ca-certificates and should be amended to apt-get install --no-install-recommends ca-certificates wget.

Affected code
= vulnerable, = fixed
https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.agent-focal-java-11
https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11
https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.xenial-java-8
https://github.com/folio-org/stripes-testing/blob/master/Dockerfile
https://github.com/folio-org/ui-testing/blob/master/Dockerfile (fixed because repository has been archived and is no longer in use)
https://github.com/folio-org/docs/blob/master/content/en/docs/Getting%20started/Installation/singleservernocontainers.md



 Comments   
Comment by Julian Ladisch [ 17/Dec/20 ]

3 fixes: https://github.com/folio-org/folio-tools/pull/134

Comment by Julian Ladisch [ 17/Dec/20 ]

Two more fixes:
https://github.com/folio-org/stripes-testing/pull/86
https://github.com/folio-org/docs/pull/2

Comment by David Crossley [ 18/Dec/20 ]

Regarding folio-tools:

I merged Julian's PR, then built and deployed the new jenkins-slave-all docker build images.

java-11 is tagged as 2.5.0
java-8 is tagged as 1.3.0

Tested each via FOLIO CI.

Comment by David Crossley [ 22/Dec/20 ]

Regarding folio-tools:

The java-11 (tagged as 2.3.0) is okay.

The java-8 (tagged as 1.3.0) was tested with a backend module that has not yet moved to Java 11. That build was okay.

However it was later discovered that there is one old environment build that still uses this image. This build failed.

Inspection shows that "ansible" was not properly constructed in the build of the jenkins-slave-all image.

So jenkins-slave-all:latest has been restored to the previous version (1.2.2).

Comment by Jakub Skoczen [ 22/Dec/20 ]

Done for JDK 11 img, won't do for JDK 8 as that image is deprecated. See FOLIO-2926 In Code Review

Comment by David Crossley [ 05/Jan/21 ]

Julian Ladisch The java8 one was deliberately marked with a cross because that docker image could no longer be built, even as-is prior to your changes. See notes in previous issue comments.

So we are deprecating it as soon as possible. See FOLIO-2926 In Code Review .

Generated at Thu Feb 08 23:24:15 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.