hubspotdevops / puppet-nexus

Puppet module for Sonatype Nexus
MIT License
24 stars 92 forks source link

Binding to 0.0.0.0 and use of HTTP without TLS #106

Open akondasif opened 6 years ago

akondasif commented 6 years ago

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).

I suggest to use a dedicated IP address other than 0.0.0.0.

Any feedback is appreciated.

Source: https://github.com/hubspotdevops/puppet-nexus/blob/master/manifests/params.pp

akondasif commented 6 years ago

I also found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated.

Source: https://github.com/hubspotdevops/puppet-nexus/blob/master/manifests/params.pp (Line 28, 40)