How to prevent a rogue job worker to overwrite process variables?


I am puzzling on the security aspect with Camunda 8 which has to be with (accidental) override of process variables. This in the context of threat modelling from a persona that has evil intentions and works as an employee in the organization.

Suppose I can retrieve a credential from a client API that has access to zeebe and suppose I know a service task type name. The latter should not be so hard for an insider attack, since it probably documented on confluence or something similar. Or I can make some attempts based on the naming strategy of the company.

When I connect to the cluster I will be invoked as well (just like the original job worker with that type name). At that moment I will also know all process variables, so I know what information I can steal and also which ones I can overwrite. Which will be even worse.

The effect can be rather dramatic; specifically now we cannot even tell because we have no audit logging in the platform yet. But even if we would, it will provide insight in hindsight.

First I thought I need a feature to configure which job worker is allowed to update which process variable by whitelisting. But that will not help, since both share the same type name.

A mitigating rule I can think of is to rotate all API clients very often (say every 10 seconds), but I wonder if that is a common approach.

What is the usual way to mitigate this type of risk?

Please share your insights in this.



This issue talks about read-only vars. Might be a mitigation solution. But the suggestion it is already quite dated.