MeghanStothers
commented
11 months ago Are you able to do this patch today, somewhere before 2 p.m. today? If not, I'll ask @iman-jamali-fw to jump in to take care of step #1 (see above).
Closed MeghanStothers closed 10 months ago
MeghanStothers
commented
11 months ago Are you able to do this patch today, somewhere before 2 p.m. today? If not, I'll ask @iman-jamali-fw to jump in to take care of step #1 (see above).
warrenchristian1telus
commented
11 months ago @iman-jamali-fw Could you implement the Snyk updates (PR's) in dev and make sure everything everything still works? That should give us a good idea if we will have any outstanding upgrades that will need to be done separately (Patroni, etc.).
iman-jamali-fw
commented
11 months ago @warrenchristian1telus Sure, I'll do that.
iman-jamali-fw
commented
11 months ago @warrenchristian1telus @MeghanStothers I pathed the Snyc PRs for Website and Camunda. A few of Camunda pathces involves major changes to the code base and other dependencies so reverted them back but most gone through. Some of the Camunda pathces that required major changes (like upgrading the Camunda version) are already available at the upgraded app v5.1
My initial tests on DEV shows the patches are working fine.
There are a few more Snyc PRs for the formio component that I'll work on tomorrow.
warrenchristian1telus
commented
11 months ago Thanks @iman-jamali-fw - ACS dashboard is down now, so will need to review for outstanding issues once it's back online.
iman-jamali-fw
commented
11 months ago @warrenchristian1telus Formio Snyk Patches were implemented and deployed to DEV. Please note that there a a few old Snyk PRs from 9 months to 1 year old. Most should be included in the recent patches but if you still reported issues, let me know to implement them too.
MeghanStothers
commented
11 months ago Team met with PSA security to advise - awaiting an update about the issue as well as any next steps the DJ team will need to take. This issue is affecting all product PSA product teams
MeghanStothers
commented
10 months ago @Warren - is there an update you have on this one? Thanks
warrenchristian1telus
commented
10 months ago @MeghanStothers - I think we're good here. There are vulnerabilities listed, but recommendation from BC DevExchange is not to be concerned about it, as the exposure in the particular components is low, although the overall violation is listed as critical. I think we can close this and migrate patches to production:
"Based on the components this vulnerability is manifested in, RHACS indicates that they are of Low severity, even though the overall violation is named as Critical. I would not be as concerned moving forward with your updated image that runs on debian12 for the forms-flow-web."
MeghanStothers
commented
10 months ago @Stella-Archer over to PO to review and close this one.
Thanks, Warren.
Stella-Archer
commented
10 months ago Thanks all - Taking BC DevExchange's recommendation and closing this one
Patch critical vulnerability will need to be patched by us (developers).
1) When reviewing the Red Hat security dashboard today, PSA noted that project d89793 (Digital Journeys) has vulnerabilities tagged as critical across multiple environments. The vulnerability is named Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol.
This seems to affect all images in the project (x9 occurrences per namespace), and from what I can see it’s covered in the existing Snyk PR’s, so we’ll need to implement those ASAP.
Step 2 ) This will also include Patroni instance in Open Shift, which may not be in the repo / Snyk PR’s, so we’ll need to make sure everything gets an update (in dev, test and prod).
A/C for step #1 ( ) patch in dev to test to prod () deploy ( ) DJ team to test ( ) Advise PSA security team when this is done