Date |
| |
Authors | ||
Status | Resolved | |
Summary | Impact | Security vulnerability highlighted by NHS(D), which we fixed within 12 hours. |
Impact | None detected. Taking precautionary measures to ensure this extends to “None undetected” |
| Table of Contents |
|---|
Non-technical Description
On initial configuration of our Jenkins box (a tool we use that helps automates building, testing, and deploying of our software, facilitating our ability to release code multiple times a day), a setting was left with the default as open rather than closed. This opened up a vulnerability that made TIS potential more open to attack then we would intend (which had not been identified by our own checks, or any independent penetration testing carried out on any of our services). In an NHS-wide security sweep, NHS(D) highlighted this vulnerability. We were able to immediately address the vulnerability.
...
Trigger
Initial configuration of our Jenkins box
...
Detection
NHS(D) security sweep of the NHS estate
...
Resolution
Amending an open Jenkins github oauth configuration to be locked down. Was initially set to
Anyone can do anything. It has been replaced withMatrix-based security
...
Timeline
3 Feb
14:23 - Email sent to HEE (including Simon - A/L that day - and Stephen Loughran)
16:56 - Stephen recirculated email (including AndyN and JohnS)
23:09 - Confirmation from John Simmons (Unlicensed) and Andy Dingley that the resolution had been implemented and successfully tested
...
Root Cause(s)
Initial configuration of our Jenkins box (probably when the TIS programme was first set up
...
Action Items
Action Items | Owner | Status |
|---|---|---|
Change the config as above | Complete | |
Reset all passwords | To do |
...
Lessons Learned
Periodically review security - conduct internal pen tests - consider getting an independent body to do so…