CVE-2022-31066 EdgeX Foundry is an open source project for building a common open framework for IoT edge computing. Before v2.1.1, the /api/v2/config endpoint exposed message bus credentials to local unauthenticated users.

The EdgeX Foundry team will be working on patching all possible insecure messaging channels that were found to be possible entry points for attackers. In the meantime, users can protect themselves by not running their EdgeX message bus in security-enabled mode, which exposes sensitive data to unauthenticated users by default.

What is a message bus?

A message bus is a software application that allows multiple applications within an organization to share messages across the different applications without the need to run each one simultaneously. EdgeX uses message buses to allow its users to communicate with one another and also interact with services such as IoT.

What is an EdgeX Message Bus?

The EdgeX message bus is a messaging service that the EdgeX platform uses for instant messaging, email, and other types of communication. The message bus exposes data like contacts, conversations, and calendars to unauthenticated users. The security-enabled mode is turned off by default so that only authenticated users can access this data.

Is EdgeX message bus secure?

According to the EdgeX Foundry team, they are working on a patch that will fix all possible insecure messaging channels that were found to be possible entry points for attackers. In the meantime, users can protect themselves by not running their EdgeX message bus in security-enabled mode, which exposes sensitive data to unauthenticated users by default.
In order to secure your EdgeX network and avoid the following security vulnerabilities, please follow the instructions below:
1. You must set up a username and password for each node in your EdgeX network;
2. You must configure each component of your node (Apache Mesos/RabbitMQ) so that no one can access or tamper with any transport layer communications or messages;
3. Make sure only members of the root group can create new nodes in your cluster, and make sure that members of this group are always manually approved before adding them as a member of another group.

Timeline

Published on: 06/14/2022 22:15:00 UTC
Last modified on: 06/23/2022 20:57:00 UTC

References

• https://github.com/edgexfoundry/edgex-go/pull/4016
• https://github.com/edgexfoundry/edgex-go/security/advisories/GHSA-g63h-q855-vp3q
• https://github.com/edgexfoundry/device-sdk-go/pull/1161
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31066