Hi Guys,
I am embedding some Linux commands as variables in the Camunda diagram and then deploy to Camunda Engine.
From the Camunda Cockpit, I can view the output of the Linux command by clicking on the variable values.
Is this an expected behavior and if not how can I disable this command execution on Camunda 7.11?
Thanks
Snippet from the BPMN Diagram file:
def a1 = ‘whoami’.execute()
def o1 = new StringBuffer()
a1.waitForProcessOutput(o1, System.err)
execution.setVariable(‘whoami’, o1.toString())
Hi,
Camunda is one big remote code execution system. The BPMN is the code (with script tasks like in your case, but also just the BPMN flow) and Camunda runs it. This opens a lot of possibilities for exploitation if an attacker is able to deploy BPMN models. For example, if you code an infinite loop or you model an infinite loop in BPMN, then you have a simple denial of service attack.
In consequence, it is crucial that you protect the endpoints for deploying BPMN diagrams properly (e.g. by using Camunda’s authorizations or by restricting access to them around the APIs such as on the network level) and that people that do have access to them are trusted. The adequate measures depend on the attack scenarios that you want to defend against.
Cheers,
Thorben
To also answer your original question: Java has a concept called Security Manager that you can use to restrict certain sensitive operations, such as spawning child processes. Here is a brief introduction: The Java Security Manager: Why and How? - DZone Java. However, having this in place will likely not be sufficient to accept untrusted BPMN deployments.
Hi Thorben,
Thanks for your reply. I could find the following notice from Camunda -
https://docs.camunda.org/security/notices/#notice-30
Is this related to the issue I have raised initially or it’s different?
If attacker can upload model to api, it can execute any code, so you have to restrict model create api point.
This is not related. It’s about vulnerabilities in the Tomcat server.
