Vulnerable IMDSV1 call in AWS environment when using VIP AuthHub
search cancel

Vulnerable IMDSV1 call in AWS environment when using VIP AuthHub

book

Article ID: 371864

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

Even after enabling IMDSv2 as required on worker nodes, this factors-svc:3.1.1.1027 image is still making IMDSv1 calls, below is the example of logs for which v1 call is made.

[2024-06-08 11:42:15,242] [WARNING] IMDSv1(!) (pid:1904:java argv:podname:ssp-dit-ssp-factor-66dfc9b455-dhh9f:cmdlineinfo:java -Dcom.sun.jndi.ldap.connect.pool.protocol=plain ssl -Xms1024m -Xmx1024m -Dcom.sun.jndi.ldap.connect.pool.debug=none -Dcom.sun.jndi.ldap.connect.pool.timeout=%!d(float64=60000) -Dcom.sun.jndi.ldap.connect.pool.initsize=%!d(float64=1) -Dcom.sun.jndi.ldap.connect.pool.prefsize=%!d(float64=0) -Dcom.sun.jndi.ldap.connect.pool.maxsize=%!d(float64=0) -jar /opt/app/factorssvc.jar) called by -> (pid:15289:containerd-shim argv:podname:ssp-dit-ssp-factor-66dfc9b455-dhh9f:cmdlineinfo:/usr/bin/containerd-shim-runc-v2 -namespace k8s.io -id f9cac920e88ee73c01286a1d36c445e8fb860f6f57da5eb2e0f9cee6bdc49a35 -address /run/containerd/containerd.sock) -> (pid:1:systemd argv:/usr/lib/systemd/systemd --switched-root --system --deserialize 21) Req details: GET /latest/meta-ata/instance-id HTTP/1.1, Host: 169.254.169.254, Accept: */*,

Environment

VIP Authentication Hub 3.1.1

Cause

IMDSv1 specific call is being made by Hazelcast Server during startup. Based on our findings, we have confirmed that Phone Home, an internal component of Hazelcast, makes two requests to the AWS metadata service when members start up. Hazelcast uses phone home data to learn about the usage of Hazelcast. For more details about Phone Homes, refer to this section of the documentation: https://docs.hazelcast.com/hazelcast/5.4/phone-homes

On our local environment, during member startup We can see the following logs at the finest log level:

Jul 04, 2024 7:30:32 PM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: ProxySelector Request for http://169.x.x.x/latest/meta-data
Jul 04, 2024 7:30:32 PM sun.net.www.protocol.http.HttpURLConnection plainConnect0
FINEST: ProxySelector Request for http://169.x.x.x/latest/meta-data

In your scenario since, IMDSv2 is marked as required in metadata options of the related EC2 Instance metadata options, these requests get 401 Unauthorized response. However, as these requests are only originated by Phone Home, I can say that they do not cause any negative impact on the members.

Resolution

We can disable this use of phone home by hazelcast by passing -Dhazelcast.phone.home.enabled=false through SSP values yaml javaOpts, Once enabled we should not see those IMDSv1 related events.
So, You can pass -Dhazelcast.phone.home.enabled=false in javaOpts hazelcast through helm install/upgrade which should resolve the issue and we will consider it & fix as part of future release.

Example -

hazelcast-enterprise:
 hazelcast:
   yaml:
     hazelcast:
       map:
         default:
           time-to-live-seconds: 600
           max-idle-seconds: 0
   existingConfigMap: ssp-hazelcast-config
   javaOpts: "-Djava.io.tmpdir=/data/custom -Dhazelcast.phone.home.enabled=false"
 enabled: true
 fullnameOverride: ssp-hazelcast-entp
 nameOverride: hazelcast-entp