2021-02-04 Security hole on Jenkins

Date

Feb 4, 2021

Authors

@John Simmons (Deactivated) / @Andy Dingley

Status

Resolved

Summary

Security vulnerability highlighted by NHS(D), which we fixed within 12 hours.

Impact

 None detected. Taking precautionary measures to ensure this extends to “None undetected”

Non-technical Description

On initial configuration of our Jenkins box (a tool we use that helps automates building, testing, and deploying of our software, facilitating our ability to release code multiple times a day), a setting was left with the default as open rather than closed. This opened up a vulnerability that made TIS potential more open to attack then we would intend (which had not been identified by our own checks, or any independent penetration testing carried out on any of our services). In an NHS-wide security sweep, NHS(D) highlighted this vulnerability. We were able to immediately address the vulnerability.


Trigger

  • Initial configuration of our Jenkins box


Detection

  • NHS(D) security sweep of the NHS estate


Resolution

  • Amending an open Jenkins github oauth configuration to be locked down. Was initially set to Anyone can do anything. It has been replaced with Matrix-based security


Timeline

3 Feb

  • 14:23 - Email sent to HEE (including Simon - A/L that day - and Stephen Loughran)

  • 16:56 - Stephen recirculated email (including AndyN and JohnS)

  • 23:09 - Confirmation from @John Simmons (Unlicensed) and @Andy Dingley that the resolution had been implemented and successfully tested


Root Cause(s)

  • Initial configuration of our Jenkins box (probably when the TIS programme was first set up


Action Items

Action Items

Owner

Status

Action Items

Owner

Status

Change the config as above

@John Simmons (Deactivated)

Complete

Reset all passwords

@John Simmons (Deactivated) et al

https://hee-tis.atlassian.net/browse/TIS21-1201


Lessons Learned

  • Periodically review security - conduct internal pen tests - consider getting an independent body to do so…