Reporting Security Issues

Maintaining the security of Camunda BPM is an important task for us. In our documentation,
we have published our Security Policy
which explains how we deal with security issues.

Besides our proactive efforts, it is very valuable to us when we get feedback by the community about security issues which may exist in Camunda itself (or much more commonly) in one of the libraries and dependencies we are using. When you
report security issues, we can investigate them, assess their impact on different usage scenarios, provide fixes and publish
a security notice.

To give you an example: In January, Kai Ullrich from Code White approached us and reported that
using Camunda’s API, it is possible, once authenticated, to submit a Java object value as a variable value in serialized form. Inside Camunda, the object is deserialized which allows attackers to exploit a security vulnerability in Groovy which allows injecting malicious code in a groovy serialized object which is executed upon deserialization. Kai has published the following blogpost in which he has described the security vulnerability in Groovy which can be exploited inside Camunda.

After he reported the issue, we implemented and released guards inside Camunda which allow users to shield their installation against this potential vulnerability in Groovy.

To us, this is a success story: thanks to Kai’s and Code White’s efforts we could make Camunda more secure for our users.

If you find any issues related to some of the libraries we are using, please do not hesitate to report them so that we can
investigate these issues.

  • Monitoring Camunda Platform 7 with Prometheus

    Monitoring is an essential facet of running applications in a production system. Through this process, organizations collect and analyze data, and determine if a program is performing as expected within set boundaries. When combined with alerting, monitoring allows for detecting unexpected system behavior to mitigate exceptional situations as fast as possible. Furthermore, tracking the performance of a system enables organizations to improve those aspects that have the biggest impact with higher priority. One essential aspect of monitoring is the list of key metrics you want to observe. There are different categories of statistics that can be of interest here. To observe the defined metrics, there are plenty of application monitoring tools on the market today. They differ in many aspects...

    Read more
  • Zbchaos — A new fault injection tool...

    During Summer Hackdays 2022, I worked on a project called “Zeebe chaos” (zbchaos), a fault injection command-line interface (CLI) tool. This allows us engineers to more easily run chaos experiments against Zeebe, build up confidence in the system’s capabilities, and discover potential weaknesses. Requirements To understand this blog post, it is useful to have a certain understanding of Kubernetes and Zeebe itself. Summer Hackdays: Hackdays are a regular event at Camunda, where people from different departments (engineering, consulting, DevRel, etc.) work together on new ideas, pet projects, and more. Check out previous Summer Hackdays here: Summer Hackdays 2020 Summer Hackdays 2019 Zeebe chaos CLI Working on the Zeebe project is not only about engineering a distributed system or a process...

    Read more
  • Performance Profiling Zeebe

    We frequently get questions about Zeebe’s performance. The answer to any performance question is easy: “It depends“. In this post, Zeebe Developer Advocate Josh Wulf and Zeebe Community member Klaus Nji talk about what it depends on, and how you can get performance benchmarks that answer the question that you actually want to answer: “Can Zeebe do what I need it to do, and how do I need to configure it to do that?“ As Albert Einstein famously said: “There are lies, damned lies, and then there are benchmarks” (or was that Aristotle?) Every system has a performance envelope. It is multi-dimensional, and its boundaries change in response to different variables. How the boundaries change and the rate of that...

    Read more

Ready to get started?

Still have questions?