Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-3131

Use https for maven.k-int.com

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: TBD
    • Resolution: Done
    • Component/s: None
    • Labels:
    • Template:
      Standard Bug Write-Up Format
    • Development Team:
      Bienenvolk

      Description

      Task:

      Replace http by https for maven.k-int.com, fixing MitM vulnerability

      Steps to Reproduce:

      https://github.com/folio-org/mod-agreements/blob/v4.0.1/service/build.gradle#L32
      https://github.com/folio-org/mod-service-interaction/blob/8e75dd35b3c064c4d0e161c859d28417fc77ce17/service/build.gradle#L50
      https://github.com/folio-org/mod-service-interaction/blob/8e75dd35b3c064c4d0e161c859d28417fc77ce17/service/build.gradle#L54
      https://github.com/folio-org/mod-licenses/blob/v3.1.0/service/build.gradle#L32

      contain this entry:

      repositories {
        ...
        maven { url "http://maven.k-int.com/content/repositories/releases" }
      }
      

      Unencrypted http is used.

      This allows an attacker to run a Machine-in-the-Middle (MitM) attack that replaces the content by malware.

      Such attacks against unencrypted maven repositories are well-known since 2019:
      https://github.com/github/securitylab/issues/21

      For this reason maven disabled unencrypted http by default since 2021:
      https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                Unassigned Unassigned
                Reporter:
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases