ITVR - Security Scan Report Review (Penetration Testing)

[kcabhar]

Problem Description In order to (achieve some goal), (a system or persona) needs to (some action).

Solution Needs

• Enter the non-negotiables of the solution (what are the needs vs. what are the wants)

Timebox

• How much effort are we committing to this research?

Outcome Details describing the outcome of the research

• Was it successful? What direction should the work go?
• Was it unsuccessful? Discuss next steps with team

Additional Context

• enter text here
• enter text here

[kuanfandevops]

Eliminated the frontend critical Vulnerability Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol by replacing base image Node 16 with Node 20 It also resolved the following Fixable Severity at least Important:

• Fixable CVE-2021-22946 (CVSS 7.5) (severity Important) found in component 'curl' (version 7.74.0-1.3+deb11u1) in container 'frontend', resolved by version 7.74.0-1.3+deb11u2
• Fixable CVE-2021-3999 (CVSS 7.8) (severity Important) found in component 'glibc' (version 2.31-13+deb11u3) in container 'frontend', resolved by version 2.31-13+deb11u4
• Fixable CVE-2021-46828 (CVSS 7.5) (severity Important) found in component 'libtirpc' (version 1.3.1-1) in container 'frontend', resolved by version 1.3.1-1+deb11u1
• Fixable CVE-2021-46848 (CVSS 9.1) (severity Critical) found in component 'libtasn1-6' (version 4.16.0-2) in container 'frontend', resolved by version 4.16.0-2+deb11u1
• Fixable CVE-2022-1586 (CVSS 9.1) (severity Critical) found in component 'pcre2' (version 10.36-2) in container 'frontend', resolved by version 10.36-2+deb11u1
• Fixable CVE-2022-1587 (CVSS 9.1) (severity Critical) found in component 'pcre2' (version 10.36-2) in container 'frontend', resolved by version 10.36-2+deb11u1
• Fixable CVE-2022-22576 (CVSS 8.1) (severity Important) found in component 'curl' (version 7.74.0-1.3+deb11u1) in container 'frontend', resolved by version 7.74.0-1.3+deb11u2
• Fixable CVE-2022-2509 (CVSS 7.5) (severity Important) found in component 'gnutls28' (version 3.7.1-5+deb11u1) in container 'frontend', resolved by version 3.7.1-5+deb11u2
• Fixable CVE-2022-27781 (CVSS 7.5) (severity Important) found in component 'curl' (version 7.74.0-1.3+deb11u1) in container 'frontend', resolved by version 7.74.0-1.3+deb11u2
• Fixable CVE-2022-27782 (CVSS 7.5) (severity Important) found in component 'curl' (version 7.74.0-1.3+deb11u1) in container 'frontend', resolved by version 7.74.0-1.3+deb11u2
• Fixable CVE-2022-29458 (CVSS 7.1) (severity Important) found in component 'ncurses' (version 6.2+20201114-2) in container 'frontend', resolved by version 6.2+20201114-2+deb11u1
• Fixable CVE-2022-32221 (CVSS 9.8) (severity Critical) found in component 'curl' (version 7.74.0-1.3+deb11u1) in container 'frontend', resolved by version 7.74.0-1.3+deb11u5
• Fixable CVE-2022-37434 (CVSS 9.8) (severity Critical) found in component 'zlib' (version 1:1.2.11.dfsg-2+deb11u1) in container 'frontend', resolved by version 1:1.2.11.dfsg-2+deb11u2
• Fixable CVE-2022-42898 (CVSS 8.8) (severity Important) found in component 'krb5' (version 1.18.3-6+deb11u1) in container 'frontend', resolved by version 1.18.3-6+deb11u3
• Fixable CVE-2022-4450 (CVSS 7.5) (severity Important) found in component 'openssl' (version 1.1.1n-0+deb11u3) in container 'frontend', resolved by version 1.1.1n-0+deb11u4
• Fixable CVE-2023-0215 (CVSS 7.5) (severity Important) found in component 'openssl' (version 1.1.1n-0+deb11u3) in container 'frontend', resolved by version 1.1.1n-0+deb11u4
• Fixable CVE-2023-0286 (CVSS 7.4) (severity Important) found in component 'openssl' (version 1.1.1n-0+deb11u3) in container 'frontend', resolved by version 1.1.1n-0+deb11u4
• Fixable CVE-2023-0361 (CVSS 7.4) (severity Important) found in component 'gnutls28' (version 3.7.1-5+deb11u1) in container 'frontend', resolved by version 3.7.1-5+deb11u3
• Fixable CVE-2023-0464 (CVSS 7.5) (severity Important) found in component 'openssl' (version 1.1.1n-0+deb11u3) in container 'frontend', resolved by version 1.1.1n-0+deb11u5
• Fixable CVE-2023-27533 (CVSS 8.8) (severity Important) found in component 'curl' (version 7.74.0-1.3+deb11u1) in container 'frontend', resolved by version 7.74.0-1.3+deb11u8
• Fixable CVE-2023-27534 (CVSS 8.8) (severity Important) found in component 'curl' (version 7.74.0-1.3+deb11u1) in container 'frontend', resolved by version 7.74.0-1.3+deb11u8
• Fixable CVE-2023-29491 (CVSS 7.8) (severity Important) found in component 'ncurses' (version 6.2+20201114-2) in container 'frontend', resolved by version 6.2+20201114-2+deb11u2

[kuanfandevops]

The critical policy violation: Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol This violation appears on both backend and taskq deployment. The bases image has been updated to the latest ubi9/python-311 tag 1-41. According to the image https://catalog.redhat.com/software/containers/ubi9/python-311/63f764b03f0b02a2e2d63fff?architecture=amd64&image=657169cb02ee638f42e72f43&container-tabs=security, this image does not have any unapplied Critical or Important security updates, but it didn;t resolve the issue. This image is the latest and the most reloable base image for Openshift we can find. We will need to wait for RedHat to release a newer version.

[kuanfandevops]

Added the ZAP Scan step to our pipeline, it scans public available URLs on ITVR Dev for each build. A sample of scan report for frontend dev url is attached. zap_scan.zip

[kuanfandevops]

A Zap Baseline scan step has been added to dev build pipeline. The baseline scan report is created automatically for each build on Dev.

[kuanfandevops]

A Zap Full scan pipeline has been created. It can do the full scan for both dev and test upon approval.

[kuanfandevops]

Plan to use the object storage to replace Minio. Then Minio can be removed and the related vulnerabilities will disappear.

[kuanfandevops]

Tried to use the latest ClamAV image, but it didn't eliminate the violation "Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol". Will need to wait ClamAV to upgrade their image.

[kuanfandevops]

Developers started to merge the pull requests auomatically created by GitHub Bot.

[ArawuSamuel1]

Hi @kuanfandevops is this ticket in flight? as it has been in about 8 sprints since Jan 11, 2024

If it's on flight, @shayjeff how do we account for the story points in our velocity?

[shayjeff]

@ArawuSamuel1 - this is an ongoing card that Kuan works on. We don't usually count it towards our velocity unless Kuan specifies that the dev's need to do some work on it. If that is the case we will estimate the card based on what the dev's need to work on.

[ArawuSamuel1]

Great, thanks for letting me know.

Best Regards, Samuel Arawu, PMP, PSM, ICP-ACC, SPC 6.0, PSPO, ITIL Snr. Scrum Master, Natural Resource Information & Digital Services Division, Ministry of Land, Water and Resource Stewardship.

---

From: shayjeff @.> Sent: Wednesday, June 5, 2024 1:23 PM To: bcgov/itvr @.> Cc: Arawu, Samuel WLRS:EX @.>; Mention @.> Subject: Re: [bcgov/itvr] ITVR - Security Scan Report Review (Penetration Testing) (Issue #621)

You don't often get email from @.*** Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification

[EXTERNAL] This email came from an external source. Only open attachments or links that you are expecting from a known sender.

@ArawuSamuel1https://github.com/ArawuSamuel1 - this is an ongoing card that Kuan works on. We don't usually count it towards our velocity unless Kuan specifies that the dev's need to do some work on it. If that is the case we will estimate the card based on what the dev's need to work on.

— Reply to this email directly, view it on GitHubhttps://github.com/bcgov/itvr/issues/621#issuecomment-2150902270, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASACEJZBMGKACDY4DSQLWILZF5XUHAVCNFSM6AAAAABBW7F3LSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJQHEYDEMRXGA. You are receiving this because you were mentioned.Message ID: @.***>