Security Vulnerabilities in using Killbill

[vivek rao]

Hello,

We will be using Killbill running as ECS on AWS.

We will build the KB war ourselves and copy it into the webapps folder of tomcat as ROOT.war and restart tomcat to take effect.
We will be also building Usage and Invoice plugin jar file and bulding the killbill-stripe-plugin jar and copy the plugin jar files in the path /var/tmp/bundles/plugins/java/ 

KB version we are using is:
killbill:0.24.3
kaui:2.0.11

Our analysis with respect security aspects of the KB system have found below issues.

• tomcat user to use strong password.

What are the changes needed to setup a strong password for tomcat user. Which all files needs to be updated to start using password for the tomcat user?

We would also explore to use AWS Secrets Manager to store and retrieve password.
What all changes in KB and KAUI need to be done to support this?

• Kaui login page issues
  • No support of locking the account after repeated attempts of logins with wrong passwords. admin should be able to unlock the locked users oir auto unlock after certain duration(configurable)
  • No Support to configure the policy for password(min and max characters, Capital letters, Special characters etc)

• Use of Vulnerable JS Library
  
  • Our scan showed that KB system is using jQuery JavaScript Library v1.12.4 which has existing vulnerability
    What is the solution to use the latest stable version of jQuery JavaScript Library in the KB system? If we need to upgrade it ourselves, pls provide the steps.
    

• Use of Own Customised OS Image(with security Hardening)
  
  • Any special handling to be done in KB or KAUI to be compatible with our own customised OS Image based on some version of Ubuntu.
  • Is there any hard dependency of KB or KAUI on ubuntu:20.04???

Note: We would be continuing to analyse/scan/test the KB system to ensure no security vulnerabilities exists before using it in production.

Thanks

Vivek

[karan bansal]

Hi Vivek,

You can configure the password per requirement in shiro.ini. Please refer to these docs. The same should also explain various auth options available and that way you can enforce any password management policy. 

I will check more details about the Jquery JS library and get back with more info.

For customized OS image, there is no hard dependency, so this should be fine. However, the best option is to go for test environment first before moving to prod.

Regards

Karan

[vivek rao]

Hello Karan

Any update on the Jquery JS library security issue?

Also we need to remove/block the KB swagger documentation/API exposure from the deployed environment. Could you please provide the steps to do the same.

/swagger.json

/api.html
/docs#/
/openapi.json

Thanks

Vivek

[karan bansal]

Hi Vivek,

The issue for Jquery library can be tracked here : https://github.com/killbill/killbill-admin-ui/issues/395. 

Let me gather more info about disabling swagger.json ( and others ) and get back. 

Regards

Karan

[vivek rao]

Hi Karan

- Any update on how to disable swagger.json?

- One more point which needs support is that we cannot configure KB env variables which are sensitive in our Dockerfile. We need to configure it in aws parameter store and read it from there. How can KB read this during startup? What code changes needs to be done for this to happen?

Following are the env variables which we want to keep in aws parameter store:

KB Env Variables:
KB_org_killbill_dao_url
KB_org_killbill_dao_user
KB_org_killbill_dao_password
KB_org_killbill_billing_osgi_dao_url
KB_org_killbill_billing_osgi_dao_user
KB_org_killbill_billing_osgi_dao_password

 

KAUI Env Variables:
KAUI_DB_URL
KAUI_DB_USERNAME
KAUI_DB_PASSWORD
KAUI_KILLBILL_URL
KAUI_KILLBILL_DISABLE_SSL_VERIFICATION

Thanks

Vivek

[karan bansal]

Hi Vivek,

You will need to use some external proxy to block these URL's. Let me gather more info about reading env variables from aws store and get back.

Regards

Karan

[vivek rao]

Hi Karan

Any update on how to read env variable values from aws store?

Thanks

Vivek

[karan bansal]

Hi Vivek,

Reading properties is currently supported only in CloudFormation setup and not supported out of box for Docker. You can however create a shell script to fetch the values from Parameter store and generate the environment file, then update the docker file to use the environment file. Here is an example script : 

KILLBILL_DAO_URL=$(aws ssm get-parameter --name "/path/to/kb_variables/KILLBILL_DAO_URL" --query "Parameter.Value" --output text)
...
cat << EOF > env_file.txt
KILLBILL_DAO_URL=$KILLBILL_DAO_URL

Docker file to use the environment file : 

services:
  killbill:
    image: killbill/killbill:0.24.9
    ports:
      - "8080:8080"
    env_file:
      - ./env_file.txt

Regards

Karan

[vivek rao]

Hi

Code scan shows that Killbill is putting the cookie in the response which could potentially be a security risk.

The policy what we have is that is as follows:

Cookies that contain the user's session identifier, and other sensitive application cookies, are typically

accessible by client-side scripts, such as JavaScript. Unless the web application explicitly prevents this
using the "httpOnly" cookie flag, these cookies could be read and accessed by malicious client scripts,
such as Cross-Site Scripting (XSS).

Could you please confirm how to handle this issue? If there is any change that can be done to make the cookie httpOnly in the code, Because we are anyways building the KB war and deploying it inside $TOMCAT_HOME/webapps folder as ROOT.war

Thanks

Vivek

[vivek rao]

Hi,

Any update on the issue reported above related to the cookie?

[karan bansal]

Hi Vivek,

I am discussing this internally, will update you as soon as I have something further.

Regards

Karan

[stephane brossier]

The profile 'kiillpay' is not actively used so although your code scan finds it, I don't expect this code to be run when you deploy Kill Bill server.

--
You received this message because you are subscribed to the Google Groups "Kill Bill users mailing-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to killbilling-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/killbilling-users/a0457394-8a11-40f4-8adb-7b70bb523d5an%40googlegroups.com.

[vivek rao]

Hello

Default super user details in the KB system is as follows;

user name : admin

password : password

When we move to prod we want to change this default password to a new one. How to do this?

We dont want to use "password" as it is directly.

Infact we want to set this password through an env variable.  Could you please suggest how this can be done. I could not see any env variable for this in the guide.

Also same way we want to source the tenant's API Key and API Secret also from env variable as we plan to source them from aws parameter store which can be read and passed as env variable to our KB ecs service.

There is an external system in our solution which would call KB APIs using this user credentials and Tenant API Key and secret.

Please suggest a solution for this use case where we want to source the credentials from aws parameter store which is more secure way of managing credentials.

Thanks

Vivek

[karan bansal]

Hi Vivek,

I believe I have shared the information earlier in this thread regarding generating the env file and using it for docker. Did you get a chance to try that? 

Similarly in one of the other threads, you mentioned about passwords and I had pointed to https://docs.killbill.io/latest/user_management. This should allow you to have the required auth in place.

Regards

Karan

[vivek rao]

We cannot use the method which you have suggested.
In our deployment solution, the Image gets built only once and the same image gets deployed in various envs(Dev, Stage, Production).

So the env file in the docker file will not work as we need to have different passwords for the admin user for different environments. These needs to be set dynamically at run time at the time of ECS start which uses thr same image generated at the time of build.

So we are looking for a method to set admin user password as ENV variable or read it from some external source(aws parameter store) during the boot time.

Same Applies even for the Tenant API key and secret.

we plan to use a single tenant as of now, we have some other services on AWS which will call KB APIs, for this our system should query the Tenant API key and Secret from the aws parameter store.

This Key and secret for the same tenant name could be different on different envs.

I hope my use case is clear.