We release security updates for the following versions:
| Version | Supported |
|---|---|
| 3.2.x | ✅ |
| < 3.2 | ❌ |
We take the security of snmp-olt-zte (ZTE C320/C300 SNMP adapter) seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Primary Contact: admin@ckt.co.id
- Alternative: Create a Security Advisory
You should receive a response within 48 hours. If for some reason you do not, please follow up to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability
- Full paths of source file(s) related to the manifestation of the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Release: Depends on severity
- Critical: Within 7 days
- High: Within 30 days
- Medium: Within 90 days
- Low: Next regular release
CRITICAL - Never commit sensitive data:
.envfiles are gitignored - use.env.exampleas template- Use environment variables for all sensitive configuration
- Rotate credentials regularly
Example secure configuration:
# NEVER commit actual values
SNMP_COMMUNITY=complex_random_string_here
REDIS_PASSWORD=another_complex_passwordAlways use HTTPS in production:
USE_TLS=true
TLS_CERT_FILE=/path/to/fullchain.pem
TLS_KEY_FILE=/path/to/privkey.pemObtain certificates from:
- Let's Encrypt (free)
- Commercial CA (Sectigo, DigiCert, etc.)
Restrict origins in production:
# Bad - allows all origins
CORS_ALLOWED_ORIGINS=*
# Good - specific domains only
CORS_ALLOWED_ORIGINS=https://yourdomain.com,https://api.yourdomain.comFirewall rules:
# Allow only necessary ports
sudo ufw allow 443/tcp # HTTPS
sudo ufw deny 8081/tcp # Block direct access to app port
sudo ufw allow from <trusted_ip> to any port 6379 # Redis (if external)Use internal networks:
- Keep Redis on private network
- Use VPN or SSH tunnel for administrative access
- Implement network segmentation
SNMP v2c limitations:
- Community strings are transmitted in plaintext
- Use strong, unique community strings
- Consider network-level encryption (VPN/IPSec)
Network restrictions:
# Configure OLT to accept SNMP only from specific IPs
# Check your ZTE C320/C300 OLT documentationBuilt-in rate limiting protects against abuse:
- Default: 100 requests/second, burst 200
- Adjust in
app/routes.goif needed
- Default: 90 seconds
- Prevents resource exhaustion from slow clients
- Default: 1 MB
- Prevents large payload attacks
All user inputs are validated:
- Board ID: Must be 1 or 2
- PON ID: Must be 1-16
- ONU ID: Must be numeric
Automatically applied headers:
X-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-Protection: 1; mode=blockStrict-Transport-Security(when TLS enabled)Content-Security-Policy
Always set Redis password:
REDIS_PASSWORD=very_strong_password_hereBind to localhost if Redis is on same host:
# In redis.conf
bind 127.0.0.1 ::1
# OR with Docker
docker run -d redis:7.2 redis-server --protected-mode yes# In redis.conf
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""Always use official images from trusted sources:
services:
redis:
image: redis:7.2 # Official Redis imageApplication runs as non-root user in Docker:
USER nonroot:nonrootMount sensitive files as read-only:
volumes:
- ./certs:/certs:roSet memory and CPU limits:
services:
app:
mem_limit: 2g
cpus: '1.0'secrets:
snmp_community:
external: true
redis_password:
external: true
services:
app:
secrets:
- snmp_community
- redis_passwordapiVersion: v1
kind: Secret
metadata:
name: olt-secrets
type: Opaque
stringData:
snmp-community: "your_snmp_community"
redis-password: "your_redis_password"For enterprise deployments, integrate with Vault for secret management.
- Issue: SNMP v2c transmits community strings in plaintext
- Mitigation:
- Use VPN or encrypted network connection to OLT
- Restrict network access with firewall rules
- Use strong, unique community strings
- Consider upgrading to SNMPv3 if OLT supports it
- Issue: Cache hit/miss timing could leak information
- Impact: Low - only reveals if data exists in cache
- Mitigation: Implemented - consistent error responses
- Issue: Compromised Redis could serve malicious data
- Mitigation:
- Secure Redis with authentication
- Use private network for Redis
- Implement Redis ACLs if available
- Issue: High request rate could exhaust resources
- Mitigation: Implemented
- Rate limiting: 100 req/s
- Request timeout: 90s
- Body size limit: 1 MB
- Connection pooling
- Changed default SNMP community string
- Set Redis password (REDIS_PASSWORD)
- Enabled HTTPS/TLS (USE_TLS=true)
- Configured restrictive CORS origins
- Disabled unnecessary ports in firewall
- Set up network segmentation
- Configured resource limits (memory, CPU)
- Enabled security headers
- Set up log aggregation and monitoring
- Implemented backup strategy
- Documented incident response plan
- Tested disaster recovery procedures
- All inputs validated
- No hardcoded credentials
- Secrets loaded from environment variables
- Error messages don't leak sensitive information
- Dependencies regularly updated
- Code reviewed for security issues
- Unit tests cover security-critical paths
- SAST (Static Analysis) tools run
- Dependency vulnerability scanning enabled
We follow responsible disclosure practices:
- Reporter submits vulnerability → Security team acknowledges (48h)
- Security team investigates → Severity assessment (7 days)
- Fix developed and tested → Timeline depends on severity
- Security advisory published → After fix is deployed
- Reporter credited → In advisory (if desired)
- Critical vulnerabilities: 7 days
- High severity: 30 days
- Medium severity: 90 days
- Low severity: Next regular release
We may request an extension if more time is needed for complex fixes.
- GitHub Releases: Watch repository for security releases
- Security Advisories: Enable GitHub Security Advisories notifications
- Mailing List: Subscribe (if available)
- Security patches released as soon as possible
- Always update to latest version promptly
- Review CHANGELOG for security fixes
This service processes network device data:
- Data Types: ONU identifiers, IP addresses, device status
- Storage: Cached in Redis (temporary, 10-minute TTL)
- Access: Via authenticated SNMP and Redis
- Retention: Cache data expires automatically
Logs may contain:
- Request IDs
- IP addresses (not logged by default)
- Error messages
Do not log:
- SNMP community strings
- Redis passwords
- User credentials
1. Dependency Scanning:
# Using govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...2. Static Analysis:
# Using gosec
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec ./...3. Container Scanning:
# Using Trivy
trivy image cepatkilatteknologi/snmp-olt-zte:latestLast Updated: 2025-12-15
For security concerns, contact: admin@ckt.co.id (or open a Security Advisory)