Resolve MCP Security Findings

[brianlee731]

1. Remediate Deprecated Python Versions-Unity-a

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-4413 Please take a look at this ticket @jl-0

2. Ensure RDS DB Instances have Encryption at-Rest Enabled-Unity

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-5113

3. Ensure Amazon SQS queues are encrypted at rest-Unity

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-5027

4. Ensure Elasticsearch/OpenSearch Domains have Encryption at-Rest Enabled-Unity

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-5106

5. NASA-SOC-MAR-2025-0053-FreeType Out-of-Bounds Write Vulnerability (CVE-2025-27363) [Unity]

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-5009

6. Ensure Attached EBS volumes are encrypted at-rest-Unity

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-4986

7. Yearly MCP Tenant OIDC Usage and Reconciliation [Unity]

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-5070

8. Update NAMS Workflow Approvers for Kion to Have 2 Approvers-Unity

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-4695

9. NASA-SOC-MAR-2025-0030-Linux Kernel Out-of-Bounds Write Vulnerability (CVE-2024-53104)

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-4742

10. Ensure Security groups do not allow unrestricted access to ports with high risk-Unity

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-3779

11. MCP Q4 FY24 Vulnerability Assessment [Unity]]

• https://jaas.gsfc.nasa.gov/servicedesk/customer/portal/2/GSD-4245
• Dependent on AMI updates. AMI update may address some of the issues here (ie. python version)

[brianlee731]

#2. From SPS: Due 7/21

All new RDS DB instances have storage encrypted. Of the 4 instances reported below:
o 2 have been destroyed together with their venue
o 1 more will be destroyed - follow up with @jpl-btlunsfo to confirm deletion
o The last one will be soon updated to the new SPS version - follow up with @jpl-btlunsfo to confirm SPS deployment.

7/7: Status: COMPLETE

[brianlee731]

#3. UDS: @ngachung Due Date 7/21
-Please update the "Server-side encryption" for each of the SQS queues to be "Enabled".

#4. UDS and ADES "Dockstore": @ngachung @mcduffie Due 7/21
-Please update the security configuration - Encryption to "Enable encryption of data at rest".

[brianlee731]

#5 UDS and UCS: @ngachung @jl-0 Due Date: 7/21
-Please update the AMIs. SBG-DEV and EMIT-DEV venues are no longer active so we don't have to worry about that.

[brianlee731]

#7 UCS: @jl-0 Due: ASAP

-Please confirm/verify that the changes to the OIDC Policy does not impact us.

oidc-changes-2025-unity-prod.pdf

[brianlee731]

#9 UDS: @ngachung Due: 7/21

Need to update the kernel version for these two images or can we remove these off of ECR?

1. arn:aws:ecr:us-west-2:237868187491:repository/unity-data-services/sha256:bfc9ea6d6bd078f6b1fc93f0eb15f7e19faeaaf40e805c6f37d7c970a1fb6238 (Unity-DEV)
2. arn:aws:ecr:us-west-2:429178552491:repository/unity/unity-data-services/sha256:c5968a5d1c9620297f46820a9cb339a5f2b453357fbb6ff543b80801e028c22c (Unity-Venue-Dev)

Description

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

This can lead to out of bounds writes since frames of this type were not
taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.

The Linux kernel CVE team has assigned CVE-2024-53104 to this issue.

Affected and fixed versions

Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 4.19.324 with commit 95edf13a48e7
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 5.4.286 with commit 684022f81f12
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 5.10.230 with commit faff5bbb2762
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 5.15.172 with commit 467d84dc78c9
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 6.1.117 with commit beced2cb09b5
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 6.6.61 with commit 575a562f7a3e
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 6.11.8 with commit 622ad10aae5f
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 6.12.1 with commit 1ee9d9122801
Issue introduced in 2.6.26 with commit c0efd232929c and fixed in 6.13-rc1 with commit ecf2b43018da