FINOS-CCC/CCC.LB.TH@v2026.06-rc5

Digest	Media type	Size
0e92e87f9864…	application/vnd.gemara.artifact.v1+yaml	5.6 KiB

CCC Load Balancer Capabilities Threats

Threats for Load Balancer Capabilities technologies, as defined by the FINOS Common Cloud Controls project.

ID: CCC.LB.TH
Version: v2026.06-rc5
Gemara version: v1.2.0
Author: FINOS Common Cloud Controls

Resource Management

The Resource Management group covers entries related to the lifecycle, configuration, and operational integrity of cloud resources. This includes resource exhaustion, tag manipulation, version rollback, scaling, and cost management.

CCC.LB.TH01 Unrestricted Request Traffic Overwhelms Downstream Services
Absence of filtering or rate limiting permits malicious traffic to overload downstream services and facilitates brute-force activity.
Capabilities
- CCC.Core.Capabilities
  - CCC.Core.CP04 — Transaction Rate Limits
- CCC.LB.Capabilities
  - CCC.LB.CP22 — Rate Limiting / Throttling
CCC.LB.TH05 Health Checks Are Exploited to Take Services Offline
Manipulating health-check endpoints or responses can cause healthy targets to be marked unavailable, leading to denial of service.
Capabilities
- CCC.LB.Capabilities
  - CCC.LB.CP12 — Health Checks
  - CCC.LB.CP13 — Target Removal

Networking

The Networking group covers entries related to network infrastructure, connectivity, and traffic management. This includes virtual networks, subnets, load balancing, DNS, routing, peering, and network-level access controls.

CCC.LB.TH03 Traffic Distribution Is Manipulated
Adjusting distribution policies can concentrate traffic on specific nodes causing DoS or redirect flows through unwanted paths.
Capabilities
- CCC.LB.Capabilities
  - CCC.LB.CP02 — Dynamic LB
  - CCC.LB.CP20 — Traffic Splitting

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

CCC.LB.TH04 Session Persistence Is Exploited
Improper session-affinity settings can enable session fixation or hijacking across backend targets.
Capabilities
- CCC.LB.Capabilities
  - CCC.LB.CP15 — Session Affinity

Data Resilience

The Data Resilience group covers entries related to ensuring data availability, integrity, and sovereignty across its lifecycle. This includes replication, backup, recovery, region restrictions, and protection against data loss or corruption.

CCC.LB.TH06 Sensitive Metadata Exposure via HTTP Headers
Response headers may reveal software versions, internal IPs, or other metadata useful for reconnaissance.
Capabilities
- CCC.LB.Capabilities
  - CCC.LB.CP19

Encryption

The Encryption group covers entries related to protecting data confidentiality and integrity through cryptographic mechanisms. This includes encryption in transit and at rest, key management, and certificate lifecycle management.

CCC.LB.TH07 TLS Certificates Are Expired or Invalid
Stale or untrusted certificates weaken encrypted-traffic protection.
Capabilities
- CCC.LB.Capabilities
  - CCC.LB.CP11 — SSL/TLS Termination

FINOS-CCC/CCC.LB.TH Threat Catalog

Install

Provenance

CCC Load Balancer Capabilities Threats

Resource Management

CCC.LB.TH01 Unrestricted Request Traffic Overwhelms Downstream Services

Capabilities

CCC.LB.TH05 Health Checks Are Exploited to Take Services Offline

Capabilities

Networking

CCC.LB.TH03 Traffic Distribution Is Manipulated

Capabilities

Access Control

CCC.LB.TH04 Session Persistence Is Exploited

Capabilities

Data Resilience

CCC.LB.TH06 Sensitive Metadata Exposure via HTTP Headers

Capabilities

Encryption

CCC.LB.TH07 TLS Certificates Are Expired or Invalid

Capabilities