[SECURITY ISSUE] Operate's Backup Actuator endpoint is accessible via the default url/port

[lukas-beumer]

Describe the issue:

Unlike Zeebe, Operate does not have a separate management port for the actuator endpoints, which means that anyone can start the backup process at any time. As our backups are stored in the GCS, this can lead to increased costs and a theoretical DDOS attack.

Actual behavior:

curl -s -X POST -H "Content-Type: application/json" -d "{"backupId": "1"}" https://camunda-platform-test.local:8080/operate/actuator/backups

Expected behavior:
The endpoint should only be accessible via corresponding port forwarding or similar.

curl -s -X POST -H "Content-Type: application/json" -d "{"backupId": "1"}" https://localhost:8080/operate/actuator/backups

How to reproduce:

Versuche den /actuator/backups Endpunkt über den Ingress von Operate zu erreichen.

curl -s -X POST -H "Content-Type: application/json" -d "{"backupId": "1"}" https://camunda-platform-test.local:8080/operate/actuator/backups

Environment: GKE/GCP

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

• Platform: GCP
• Helm CLI version: v3.14.3
• Chart version: 10.0.2

[aabouzaid]

Thanks @lukas-beumer for reporting this 🙌
It's already planned and it will be fixed in #1661

[aabouzaid]

We also will try to work on it before the 8.6 release for supported versions like 8.5 and 8.4.

[aabouzaid]

The issue has been fixed for the Camunda 8.6 chart (unreleased yet).
We will work on fixing the previous versions.

[zessam]

Hey👋, I’ve been looking into the security issue with the /actuator/backups endpoint being publicly accessible. Here’s my proposed solution:

Suggested Edits:

1. Edit ingress.yaml:
   Add the following annotation to block external access to the /actuator/backups endpoint:

   nginx.ingress.kubernetes.io/server-snippet: |
     location /operate/actuator/backups {
       deny all;
     }

2. Edit values.yaml: Ensure the following settings are enabled to deploy the ingress and restrict access to the /actuator/backups endpoint:

operate:
  enabled: true

  image:
    registry: ""
    repository: camunda/operate
    tag: 8.6.3
    pullSecrets: []

  ingress:
    enabled: true
    host: camunda-platform-test.local
    path: /operate
    pathType: Prefix
    className: nginx
    tls:
      enabled: true
      secretName: camunda-platform-tls
    annotations:
      kubernetes.io/ingress.class: "nginx"
      nginx.ingress.kubernetes.io/server-snippet: |
        location /operate/actuator/backups {
          deny all;
        }

After these changes, the /actuator/backups endpoint will be restricted and return a 403 Forbidden response when accessed externally.

Let me know your thoughts!

[aabouzaid]

@zessam Thanks for the proposal, but it cannot be accepted.
The solution should be controller agnostic (it should work with all Ingress controllers, not only Nginx).

Maybe playing around defaultBackend could work. Do you like to give it a try? Here are some pseudo instructions:

• Create a namespace;
• Deploy Echo-Server;
• In the Ingress object, create 2 rules with the same base like /foo/abc and /foo/xyz.

Try to match the first and send the traffic to the echo server, and the second should be sent to the default backend (when it's not specified, it will go to the controller directly, as I remember).