Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Renew Tugboat SSL Certificate to Fix Security Scan Findings #13040

Closed
2 of 8 tasks
Tracked by #13258
olivereri opened this issue Mar 22, 2023 · 4 comments
Closed
2 of 8 tasks
Tracked by #13258

Renew Tugboat SSL Certificate to Fix Security Scan Findings #13040

olivereri opened this issue Mar 22, 2023 · 4 comments
Assignees
@olivereri
Labels
CMS Team CMS Product team that manages both editor exp and devops

Comments

@olivereri
Copy link
Contributor

olivereri commented Mar 22, 2023
edited
Loading

Description

The VA EAS team conducted an annual pentest on the production VPC on 3/29/2022 and found a certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority.

The certificate in question is the one that secures Tugboat and other related CI DNS names. This was a Venafi generated certificate meaning there isn't a lot that can be done to remediate this issue. The only option is to renew the cert and wait for VA EAS to rescan.

Relations

https://github.com/department-of-veterans-affairs/va.gov-team-sensitive/issues/441#zh-event-110737343

Acceptance Criteria

  • Validated security finding by reproducing it with appropriate software tools.
  • Determined how to remediate security finding and implement fix.
    • Validate security issue is resolved using appropriate software tools.
  • Update upstream issue with findings.

Team

Please check the team(s) that will do this work.

  • CMS Team
  • Public Websites
  • Facilities
  • User support
@olivereri olivereri added Needs refining Issue status CMS Team CMS Product team that manages both editor exp and devops labels Mar 22, 2023
@olivereri
Copy link
Contributor Author

AC proposed Rewrite:

  • Validated security finding by reproducing it with appropriate software tools.
  • Determined how to remediate security finding and implement fix.
    • Validate security issue is resolved using appropriate software tools.
  • Update upstream issue with findings.

@productmike
Copy link

@olivereri I'm tentatively adding this to the S83 queue. Based on the new ACs we reviewed yesterday, do you have a feel for what this would be pointed?

@productmike productmike removed the Needs refining Issue status label Apr 20, 2023
@productmike productmike mentioned this issue Apr 25, 2023
Closed
19 tasks
@olivereri
Copy link
Contributor Author

@olivereri I'm tentatively adding this to the S83 queue. Based on the new ACs we reviewed yesterday, do you have a feel for what this would be pointed?

Apologies, missed this. I've Pointed it a 5.

@olivereri
Copy link
Contributor Author

Added a comment to the related va.gov-team-sensitive ticket. After reviewing the report again and noticing a mismatch between CIDR ranges for the scanned resources I determined that there are other load balancers using Tugboat's certificate. Specifically dsva-vagov-prod-tools is using Tugboat's certificate. Once that's removed this will no longer be a finding, however it's not for us to remediate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@olivereri olivereri

Labels
CMS Team CMS Product team that manages both editor exp and devops
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@olivereri @productmike