2021-02-04 Security hole on Jenkins
Date | Feb 4, 2021 |
Authors | @John Simmons (Deactivated) / @Andy Dingley |
Status | Resolved |
Summary | Security vulnerability highlighted by NHS(D), which we fixed within 12 hours. |
Impact | None detected. Taking precautionary measures to ensure this extends to “None undetected” |
Non-technical Description
On initial configuration of our Jenkins box (a tool we use that helps automates building, testing, and deploying of our software, facilitating our ability to release code multiple times a day), a setting was left with the default as open rather than closed. This opened up a vulnerability that made TIS potential more open to attack then we would intend (which had not been identified by our own checks, or any independent penetration testing carried out on any of our services). In an NHS-wide security sweep, NHS(D) highlighted this vulnerability. We were able to immediately address the vulnerability.
Trigger
Initial configuration of our Jenkins box
Detection
NHS(D) security sweep of the NHS estate
Resolution
Amending an open Jenkins github oauth configuration to be locked down. Was initially set to
Anyone can do anything
. It has been replaced withMatrix-based security
Timeline
3 Feb
14:23 - Email sent to HEE (including Simon - A/L that day - and Stephen Loughran)
16:56 - Stephen recirculated email (including AndyN and JohnS)
23:09 - Confirmation from @John Simmons (Unlicensed) and @Andy Dingley that the resolution had been implemented and successfully tested
Root Cause(s)
Initial configuration of our Jenkins box (probably when the TIS programme was first set up
Action Items
Action Items | Owner | Status |
---|---|---|
Change the config as above | @John Simmons (Deactivated) | Complete |
Reset all passwords | @John Simmons (Deactivated) et al |
Lessons Learned
Periodically review security - conduct internal pen tests - consider getting an independent body to do so…
Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213