[Bug 68500] New: occur a security vulnerable SSL connection(TLS1.1) when send a packet for heartbeat in k8s tribes

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=68500

            Bug ID: 68500
           Summary: occur a security vulnerable SSL connection(TLS1.1)
                    when send a packet for heartbeat in k8s tribes
           Product: Tomcat 9
           Version: 9.0.52
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Cluster
          Assignee: dev@tomcat.apache.org
          Reporter: army...@naver.com
  Target Milestone: -----

Hello. Im Jongpo Kim in South Korea.

This vulnerability detail is about tomcat (over version 9) Clustering in k8s
container.

First, my environment information is below

*Environment Information*
----------------------------------------------------------------------
Platform : Kubernetes version 1.26 In GKE (1.26.6-gke.1700)
Container Image : tomee:8-jre-8.0.8-plume
Tomcat : 9.0.52.0
JAVA Version : jdk1.8.0.392-8
Used Apache Module
----------------------------------------------------------------------

*I used a Tomcat commponents below*
----------------------------------------------------------------------
- github :
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java
<https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java>
- Apache Doc :

https://tomcat.apache.org/tomcat-10.0-doc/api/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.html
<https://tomcat.apache.org/tomcat-10.0-doc/api/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.html>
----------------------------------------------------------------------

When I provision tomcat clustering for session replication with the
"KubernetesMembershipProvider", a serious below error occurs.

*Error log in catalina.out*
---------------------------------------------------------------------
Jan 12, 2024 5:02:54 PM sun.reflect.DelegatingMethodAccessorImpl invoke
SEVERE: Unable to send heartbeat through Tribes interceptor stack. Will try to
sleep again.
java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException:
Unsupported protocol TLSv1.1
        at java.util.concurrent.FutureTask.report(FutureTask.java:122)
        at java.util.concurrent.FutureTask.get(FutureTask.java:192)
        at
org.apache.catalina.tribes.group.GroupChannel.startHeartbeat(GroupChannel.java:513)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
        at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
        at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: Unsupported protocol TLSv1.1
        at sun.security.ssl.ProtocolVersion.namesOf(ProtocolVersion.java:283)
        at
sun.security.ssl.SSLSocketImpl.setEnabledProtocols(SSLSocketImpl.java:345)
        at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:463)
----------------------------------------------------------------------

After I have trouble-shooted, I found a some vulerable code in the module. The
*KubernetesMemberShipProvider.class* use
*TokenStreamProvider.class*(https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/TokenStreamProvider.java
<https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/TokenStreamProvider.java>)

This code tell us that send a heartbeat packet with a context
with*"getInstance("TLS").*
line35 : SSLContext context = SSLContext.getInstance("TLS");

It may be static setting with using SSLContext.getInstance("TLSv1.2").
I know that Java 1.8 using TLSv1.2 as a default, but it doesn't use 1.2 version
in this case.

As you know TLS v1.1 is not supported anymore with common endpoints.
This java module need to communicate with kubelet API. This module must be
upgraded to use over TLS1.2 version.

* reference :
https://stackoverflow.com/questions/43481010/how-to-enable-only-tlsv1-2-on-java-8-server-application
<https://stackoverflow.com/questions/43481010/how-to-enable-only-tlsv1-2-on-java-8-server-application>


What I tried.
-------------------------------------------------------------
$CATALINA_OPTS -Dhttps.protocols=TLSv1.2
$JAVA_OPTS -Dhttps.protocols=TLSv1.2
So I can figure out that upper java options are enabled well in catalina.log
when startup. But the KubernetesMemberShip using TLS 1.1 still.
-------------------------------------------------------------

Thank you.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org