Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-2923

Drop --no-check-certificate from wget (Man-in-the-middle attack)

    XMLWordPrintable

Details

    • Standard Bug Write-Up Format
    • DevOps: Sprint 104
    • FOLIO DevOps

    Description

      Overview:
      FOLIO is vulnerable to man-in-the-middle attacks because some software is installed using wget --no-check-certificate. This allows attackers to install malware.

      Fix:
      Don't use --no-check-certificate command line option when running wget.

      Install the ca-certificates package that wget needs for the checks:
      apt-get install wget automatically installs the ca-certificates package because wget recommends ca-certificates.
      apt-get install --no-install-recommends wget doesn't install ca-certificates and should be amended to apt-get install --no-install-recommends ca-certificates wget.

      Affected code
      = vulnerable, = fixed
      https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.agent-focal-java-11
      https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11
      https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.xenial-java-8
      https://github.com/folio-org/stripes-testing/blob/master/Dockerfile
      https://github.com/folio-org/ui-testing/blob/master/Dockerfile (fixed because repository has been archived and is no longer in use)
      https://github.com/folio-org/docs/blob/master/content/en/docs/Getting%20started/Installation/singleservernocontainers.md

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                dcrossley David Crossley
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases