Trail of Bits
Audit Open Original ↗

Eclipse Temurin

Type

Security review

Client

OSTIF

Date

2023-12

Domain

AppSec

Effort

4 wks

Section

Technology Product Reviews

Trail of Bits's security review of OSTIF (Dec 2023) identified 19 issues: 8 high, 1 medium, 4 low, 5 informational, and 1 undetermined.

Findings · 19

  1. 1 Command injection vulnerability in WinRM script High
  2. 2 Docker Compose ports exposed on all interfaces Low
  3. 3 Insecure installation of Xcode software High
  4. 4 Insecure software downloads in Ansible playbooks High
  5. 5 Signature verification disabled during software installation High
  6. 6 Missing integrity check in Dragonwell Dockerfile Low
  7. 7 Hostname verification disabled on MongoDB client High
  8. 8 RHEL build image includes password Low
  9. 9 Insecure downloads using wget command High
  10. 10 Hard-coded CA bundle keystore password Informational
  11. 11 Hard-coded Vagrant VM password Informational
  12. 12 Missing integrity or authenticity check in jcov script download Low
  13. 13 SSH client disables host key verification High
  14. 14 Compiler mitigations are not enabled Informational
  15. 15 Use of unpinned third-party workflows Medium
  16. 16 Third-party dependencies used without signature or checksum verification Informational
  17. 17 Code injection vulnerability in build-scripts pipeline jobs High
  18. 18 Docker commands specify root user in containers Informational
  19. 19 Incorrect Dependabot configuration filename Undetermined

Findings extracted from the published report PDF. See the full report below for details and remediation.

Related