Resolve penetration test vulnerabilities

[hortongn]

Descriptive summary

We've received a report from Infosec for a security scan run against scholar-qa.uc.edu and scholar.uc.edu

We need to resolve the vulnerabilities and report back to Infosec. Changes to the server environments should be added to the Puppet scripts when applicable. Scholar code changes are probably not needed.

The specific vulnerabilities are not listed here for obvious reasons.

[hortongn]

Made changes on scholar-qa that should resolve most if not all of the real vulnerabilities. However, it's possible that SSL settings for Scholar on BigIP may also need to be tweaked.

Sent email to Info Sec on 6/1 asking them to re-scan scholar-qa to see what's resolved.

[hortongn]

Info Sec re-scanned and says that we only have one vulnerability remaining (TLS 1.0 enabled). That appears to be a BigIP thing. I've asked Andy to look into it.

[hortongn]

Resolved by updated package version httpd-2.4.6-67

• Apache HTTPD: mod_ssl Null Pointer Dereference (CVE-2017-3169) https://access.redhat.com/errata/RHSA-2017:2479
• Apache HTTPD: mod_mime Buffer Overread (CVE-2017-7679) https://access.redhat.com/errata/RHSA-2017:2479
• Apache HTTPD: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167) https://access.redhat.com/errata/RHSA-2017:2479
• Apache HTTPD: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) https://access.redhat.com/errata/RHSA-2017:2479

Resolved by updated package version httpd-2.4.6-18

• Apache HTTPD: mod_status buffer overflow (CVE-2014-0226) https://access.redhat.com/errata/RHSA-2014:0921
• Apache HTTPD: mod_cgid denial of service (CVE-2014-0231) https://access.redhat.com/errata/RHSA-2014:0921
• Apache HTTPD: mod_proxy denial of service (CVE-2014-0117) https://access.redhat.com/errata/RHSA-2014:0921
• Apache HTTPD: mod_cache crash (CVE-2013-4352) https://access.redhat.com/errata/RHSA-2014:0921
• Apache HTTPD: mod_deflate denial of service (CVE-2014-0118) https://access.redhat.com/errata/RHSA-2014:0921

Resolved by updated package version httpd-2.4.6-31

• Apache HTTPD: HTTP Trailers processing bypass (CVE-2013-5704) https://access.redhat.com/errata/RHSA-2015:0325
• Apache HTTPD: HTTP request smuggling attack against chunked request parser (CVE-2015-3183) https://access.redhat.com/errata/RHSA-2015:1667
• Apache HTTPD: mod_cache crash with empty Content-Type header (CVE-2014-3581) https://access.redhat.com/errata/RHSA-2015:0325
• Apache HTTPD: ap_some_auth_required API unusable (CVE-2015-3185) https://access.redhat.com/errata/RHSA-2015:1667

Resolved by updated package version httpd-2.4.6-45

• Apache HTTPD: Padding Oracle in Apache mod_session_crypto (CVE-2016-0736) https://access.redhat.com/errata/RHSA-2017:0906
• Apache HTTPD: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743) https://access.redhat.com/errata/RHSA-2017:0906
• Apache HTTPD: DoS vulnerability in mod_auth_digest (CVE-2016-2161) https://access.redhat.com/errata/RHSA-2017:0906

Resolved by updated package version httpd-2.4.6-67

• Apache HTTPD: Use-after-free when using with an unrecognized method in .htaccess ("OptionsBleed") (CVE-2017-9798) https://access.redhat.com/errata/RHSA-2017:2882

Resolved by updated package version httpd-2.4.6-40

• Apache HTTPD: HTTP_PROXY environment variable "httpoxy" mitigation (CVE-2016-5387) https://access.redhat.com/errata/RHSA-2016:1422

RedHat says it's Enterprise Linux 7 Apache package is "not affected" by these vulnerabilities

• Apache HTTPD: mod_dav crash (CVE-2013-6438) https://access.redhat.com/security/cve/cve-2013-6438
• Apache HTTPD: mod_log_config crash (CVE-2014-0098) https://access.redhat.com/security/cve/cve-2014-0098

RedHat lists this vulnerability as "Will not fix"

• Apache HTTPD: mod_lua multiple "Require" directive handling is broken (CVE-2014-8109) https://access.redhat.com/security/cve/cve-2014-8109

[hortongn]

Needed changes have been made to the Puppet scripts https://git.uc.edu/UCLIBS/scholar-puppet-vagrant/compare/4bd3ce13ae3db5724d712b6d1bdaf4c17d506f2f...scholar-3-update

[hortongn]

All of the needed changes have been made to scholar-dev, scholar-qa, and production. Info Sec re-ran the security scans and found no remaining vulnerabilities. The changes have been committed to the Puppet repo as well.