[FOLIO-3131] Use https for maven.k-int.com Created: 23/Apr/21  Updated: 14/May/21  Resolved: 14/May/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
is blocked by FOLIO-3132 Install intermediate SSL certificate ... Closed
Relates
relates to FOLIO-3106 Update Index Data maven repo url Closed
Sprint:
Development Team: Bienenvolk

 Description   

Task:

Replace http by https for maven.k-int.com, fixing MitM vulnerability

Steps to Reproduce:

https://github.com/folio-org/mod-agreements/blob/v4.0.1/service/build.gradle#L32
https://github.com/folio-org/mod-service-interaction/blob/8e75dd35b3c064c4d0e161c859d28417fc77ce17/service/build.gradle#L50
https://github.com/folio-org/mod-service-interaction/blob/8e75dd35b3c064c4d0e161c859d28417fc77ce17/service/build.gradle#L54
https://github.com/folio-org/mod-licenses/blob/v3.1.0/service/build.gradle#L32

contain this entry:

repositories {
  ...
  maven { url "http://maven.k-int.com/content/repositories/releases" }
}

Unencrypted http is used.

This allows an attacker to run a Machine-in-the-Middle (MitM) attack that replaces the content by malware.

Such attacks against unencrypted maven repositories are well-known since 2019:
https://github.com/github/securitylab/issues/21

For this reason maven disabled unencrypted http by default since 2021:
https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291



 Comments   
Comment by Julian Ladisch [ 23/Apr/21 ]

This is blocked by FOLIO-3132 Closed "Install intermediate SSL certificate on maven.k-int.com".

Comment by Julian Ladisch [ 06/May/21 ]

The fix for mod-licenses has been merged, thanks! https://github.com/folio-org/mod-licenses/pull/165

The fixes for the two other repositories are in code review:

Comment by Julian Ladisch [ 14/May/21 ]

Thanks!

Generated at Thu Feb 08 23:25:51 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.