Description
Severity: Critical Affected Components: apis-main, apis-web, apis-common, mongodb
Summary
A security audit of the codebase has revealed multiple critical vulnerabilities that leave the system completely exposed to unauthorized access and control. These issues effectively allow any attacker on the network to take full control of the energy management system, access the database, and manipulate battery/power exchanges.
Critical Vulnerabilities
- Hardcoded Credentials
Multiple configuration files contain hardcoded sensitive credentials.
Locations:
apis-web/exe/cluster.xml
: contains oss_cluster-pass and thepass.
apis-web/exe/cluster-mac.xml
: contains my-secret-key.
apis-main/exe/config.json
: contains password e001.
Impact: Attackers can join the Hazelcast cluster or authenticate as admin if they have network access.
- Insecure Network Bindings
The mongodb and api-server are configured to listen on all network interfaces (0.0.0.0) by default.
Locations:
mongodb/start.sh
: uses --bind_ip_all.
apis-web/src/.../ApiServer.java: binds to default Vert.x host (0.0.0.0).
Impact: The database and API endpoints are exposed to the entire local network (or internet, if not firewalled), bypassing any local-only assumptions.
- Missing Authentication on Control APIs
Critical control endpoints in apis-web lack any form of authentication or authorization.
Locations:
DealGeneration.java
(POST /deal): Allows unauthenticated injection of energy deals.
LogConfiguration.java
(POST /log): Allows unauthenticated modification of log levels.
Impact: Attackers can freely manipulate energy sharing logic and disrupt system observability.
- Insecure Secrets Handling
The ApisLauncher decrypts secret files to the filesystem at runtime and only deletes them on shutdown.
Location: apis-common/.../ApisLauncher.java
Impact: Unencrypted secrets persist on disk during runtime (and after crashes), making them vulnerable to local file inclusion or access attacks.
Recommendations
-
Immediate Mitigation:
- Change mongodb and ApiServer to bind to 127.0.0.1 (localhost) only.
- Remove --bind_ip_all from start scripts.
-
Remediation:
- Externalize Secrets: Remove all hardcoded passwords from the codebase. Use environment variables or a secure configuration management system.
- Implement Authentication: Add an authentication layer (e.g., JWT, Basic Auth) to all apis-web endpoints.
- Secure Secrets: Modify ApisLauncher to keep decrypted secrets in memory only, never writing them to disk.
Description
Severity: Critical Affected Components: apis-main, apis-web, apis-common, mongodb
Summary
A security audit of the codebase has revealed multiple critical vulnerabilities that leave the system completely exposed to unauthorized access and control. These issues effectively allow any attacker on the network to take full control of the energy management system, access the database, and manipulate battery/power exchanges.
Critical Vulnerabilities
Multiple configuration files contain hardcoded sensitive credentials.
Locations:
apis-web/exe/cluster.xml
: contains oss_cluster-pass and thepass.
apis-web/exe/cluster-mac.xml
: contains my-secret-key.
apis-main/exe/config.json
: contains password e001.
Impact: Attackers can join the Hazelcast cluster or authenticate as admin if they have network access.
The mongodb and api-server are configured to listen on all network interfaces (0.0.0.0) by default.
Locations:
mongodb/start.sh
: uses --bind_ip_all.
apis-web/src/.../ApiServer.java: binds to default Vert.x host (0.0.0.0).
Impact: The database and API endpoints are exposed to the entire local network (or internet, if not firewalled), bypassing any local-only assumptions.
Critical control endpoints in apis-web lack any form of authentication or authorization.
Locations:
DealGeneration.java
(POST /deal): Allows unauthenticated injection of energy deals.
LogConfiguration.java
(POST /log): Allows unauthenticated modification of log levels.
Impact: Attackers can freely manipulate energy sharing logic and disrupt system observability.
The ApisLauncher decrypts secret files to the filesystem at runtime and only deletes them on shutdown.
Location: apis-common/.../ApisLauncher.java
Impact: Unencrypted secrets persist on disk during runtime (and after crashes), making them vulnerable to local file inclusion or access attacks.
Recommendations
Immediate Mitigation:
Remediation: