Communication misconfiguration in code #4904
Labels
community
Community Raised Issue
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Stratos Version
4.4.0
Frontend Deployment type
Backend (Jet Stream) Deployment type
Expected behaviour
Transmit all sensitive data over a TLS connection with validated certificates. This includes all communications with browsers that contain sensitive pages. It also includes all backend connections with databases, servers, and other services.
Example Code
telnet.ListenAndServeTLS(":5556", "cert.pem", "key.pem", handlers)
Actual behaviour
The application does not use a secure channel, such as TLS, to exchange sensitive information or avoids validating a certificate. Therefore, it is possible for an attacker with network traffic access to sniff packets from the connection and uncover the data or provide a altered certificate to perform a man-in-the-middle attack. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server.
This can be a few things under Golang:
Settings that allow insecure certificate checks.
Insecure communication functions.
Example Code
HostKeyCallback: ssh.InsecureIgnoreHostKey()
conf := &tls.Config{ InsecureSkipVerify: true}
telnet.DialToAndCall("example.net:5555", caller)
Steps to reproduce the behavior
same issue found in few file paths
cfmr-ui\src\jetstream\main.go:782
cfmr-ui\src\jetstream\plugins\cloudfoundry\cf_websocket_streams.go:119
cfmr-ui\src\jetstream\plugins\kubernetes\terminal\start.go:118
Log output covering before error and any error statements
Detailed Description
There is a miss communication in Golang code
Context
Possible Implementation
The text was updated successfully, but these errors were encountered: