Skip to main content

Insecure service configuration - Keystore

Description

Cryptographic key containers such as keystores should have good security practices, among them:

  • The Secretkey and Keystore should be in protected environments.
  • The secrets should be aligned with strong password policies (do not use default passwords).
  • The Secretkey should not be stored in the source code.
  • Passwords to access the Keystore should not be the same as the private password.

Impact

Get access to the private keys of the debugging certificates to test the application and understand its operation to generate new attack vectors.

Recommendation

Implement good security practices against Keystore containers.

  • Do not store secrets in the source code.
  • Change default passwords.

Threat

Authenticated attacker from intranet.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:X
  • Score:
    • Base: 2.6
    • Temporal: 2.4
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Password access is correctly and unique for all services

server:
port: 8443
ssl:
key-store: classpath:keystore.jks
key-store-password: password.secret

Non compliant code

A service is configured with a default password

server:
port: 8443
ssl:
key-store: classpath:keystore.jks
key-store-password: "password"

Requirements