Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-11502

TLS vulnerability CVE-2016-2107

    Details

      Description

      ssllabs is giving many (most) of our TLS fronted properties an F rating for being vulnerable to CVE-2016-2107. Presumably, this will be resolved by an openssl updated.

        Attachments

          Issue Links

            Activity

            Hide
            jhoblitt Joshua Hoblitt added a comment -

            The yum-cron package is supposed to be apply security updates to

            {ci,squash,bokeh}

            .lsst.codes but it appears to no be working. The systemd service file seems to do nothing...

            [Unit]
            Description=Run automatic yum updates as a cron job
             
            [Service]
            Type=oneshot
            RemainAfterExit=yes
            ExecStart=/bin/touch /var/lock/subsys/yum-cron
            ExecStop=/bin/rm -f /var/lock/subsys/yum-cron
             
            [Install]
            WantedBy=multi-user.target
            
            

            Show
            jhoblitt Joshua Hoblitt added a comment - The yum-cron package is supposed to be apply security updates to {ci,squash,bokeh} .lsst.codes but it appears to no be working. The systemd service file seems to do nothing... [Unit] Description=Run automatic yum updates as a cron job   [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/touch /var/lock/subsys/yum-cron ExecStop=/bin/rm -f /var/lock/subsys/yum-cron   [Install] WantedBy=multi-user.target
            Show
            jhoblitt Joshua Hoblitt added a comment - Manually updating openssl and restarting nginx change the ssllabs rating (as of this moment to an A) https://www.ssllabs.com/ssltest/analyze.html?d=ci.lsst.codes https://www.ssllabs.com/ssltest/analyze.html?d=squash.lsst.codes https://www.ssllabs.com/ssltest/analyze.html?d=bokeh.lsst.codes
            Hide
            jhoblitt Joshua Hoblitt added a comment - - edited

            These k8s deployements, sandbox-eups, deploy-eups-redirect, ltd-keeper, were using gcr.io/cloud-solutions-images/nginx-ssl-proxy:master-9979ee3, which dates from 2015 and google has never updated (there are no other tags in the docker registry). I looked at updating the version of openssl in that image but decided against it as it was so old that the gpg keys for the nginx apt repo were no longer valid and the base image had since rebased onto a newer version of debian.

            I eventually identified the Dockerfile used to build that image: https://github.com/GoogleCloudPlatform/nginx-ssl-proxy . The repo has been updated, despite no images being published, and the Dockerfile was able to build an image without the openssl issue without modification. This has been forked as https://github.com/lsst-sqre/nginx-ssl-proxy and a jenkins build created that will build + push an image as docker.io/lsstsqre/nginx-ssl-proxy:latest.

            TLS cert expiration, missing hosts, and an ssllabs.com check were added to nagios (status.lsst.codes). Additionally, work was done to streamline the deployment of nagios configuration changes. This included setting up travis-ci syntax checking of nagios config changes. The nagios streamlining/CI was the majority of the effort on this ticket.

            Show
            jhoblitt Joshua Hoblitt added a comment - - edited These k8s deployements, sandbox-eups, deploy-eups-redirect, ltd-keeper , were using gcr.io/cloud-solutions-images/nginx-ssl-proxy:master-9979ee3 , which dates from 2015 and google has never updated (there are no other tags in the docker registry). I looked at updating the version of openssl in that image but decided against it as it was so old that the gpg keys for the nginx apt repo were no longer valid and the base image had since rebased onto a newer version of debian. I eventually identified the Dockerfile used to build that image: https://github.com/GoogleCloudPlatform/nginx-ssl-proxy . The repo has been updated, despite no images being published, and the Dockerfile was able to build an image without the openssl issue without modification. This has been forked as https://github.com/lsst-sqre/nginx-ssl-proxy and a jenkins build created that will build + push an image as docker.io/lsstsqre/nginx-ssl-proxy:latest . TLS cert expiration, missing hosts, and an ssllabs.com check were added to nagios ( status.lsst.codes ). Additionally, work was done to streamline the deployment of nagios configuration changes. This included setting up travis-ci syntax checking of nagios config changes. The nagios streamlining/CI was the majority of the effort on this ticket.

              People

              • Assignee:
                jhoblitt Joshua Hoblitt
                Reporter:
                jhoblitt Joshua Hoblitt
                Watchers:
                Adam Thornton, J Matt Peterson [X] (Inactive), Jonathan Sick, Joshua Hoblitt
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel