Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-2923

Drop --no-check-certificate from wget (Man-in-the-middle attack)

    XMLWordPrintable

    Details

    • Template:
      Standard Bug Write-Up Format
    • Sprint:
      DevOps: Sprint 104
    • Development Team:
      FOLIO DevOps

      Description

      Overview:
      FOLIO is vulnerable to man-in-the-middle attacks because some software is installed using wget --no-check-certificate. This allows attackers to install malware.

      Fix:
      Don't use --no-check-certificate command line option when running wget.

      Install the ca-certificates package that wget needs for the checks:
      apt-get install wget automatically installs the ca-certificates package because wget recommends ca-certificates.
      apt-get install --no-install-recommends wget doesn't install ca-certificates and should be amended to apt-get install --no-install-recommends ca-certificates wget.

      Affected code
      = vulnerable, = fixed
      https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.agent-focal-java-11
      https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11
      https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.xenial-java-8
      https://github.com/folio-org/stripes-testing/blob/master/Dockerfile
      https://github.com/folio-org/ui-testing/blob/master/Dockerfile (fixed because repository has been archived and is no longer in use)
      https://github.com/folio-org/docs/blob/master/content/en/docs/Getting%20started/Installation/singleservernocontainers.md

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                dcrossley David Crossley
                Reporter:
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases