warrenchristian1telus
commented
4 months ago As far as I can tell, these are all about 2 years old, and have previously been reviewed by ourselves and Igor at IMDT. I believe most of the issues were deemed either not vulnerable in our use case, and/or not fixable without major system upgrades. For example, MySQL 5.7 which reached the end of support in October 2023.
These systems are not directly internet accessible, which greatly reduces risk, but we still do plan to address these issues along with our planned upgrade to Nginx, PHP-FPM, MariaDB and Redis. This is also intended to increase reliability by increasing all user-accessible services to 3x pods to better withstand cluster upgrades/outages and improve release and upgrade deployments.
We are currently in the process of completing and testing these changes on the Learning project (Moodle) and plan to roll-out to Performance and PECSF shortly after. Deployments are expected to begin some time in the fall.
We could likely combine this issue and #1283 into a larger issue / epic to address these upgrades over the next few months.
Received an email from Joshua Quiring (Sr. Security Administrator in PSA) regarding vulnerabilities in our application. See link for details: https://bcgov.sharepoint.com/:x:/r/teams/02915/Shared%20Documents/General/RHACS_Vulnerability_Report_PSA%20Security%20PDP_17_June_2024.csv?d=w38918a1f9e30410d8fb5f3dceed9930a&csf=1&web=1&e=oVeKIo