cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marco Sinhoreli (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-10378) udp port 111 (rpcbind) is exposed in the public interface on SSVM
Date Thu, 24 May 2018 18:51:00 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-10378?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Marco Sinhoreli updated CLOUDSTACK-10378:
-----------------------------------------
    Description: 
The secondary storage VM is exposing the NFS rpcbind udp port (111) to the internet on the
public network interface. It can cause security risks. To expose the RPC/portmap udp port
111 service to the internet, everybody can query this information without having to authenticate.
It can be useful to attackers to know what you have running. Also, the RPC service has a history
of security vulnerabilities.

The recommendable is update the iptables rules on the system VM template to block the 111
udp port.

  was:
If you expose the RPC/portmap udp port 111 service to the internet, everybody can query this
information without having to authenticate. It can be useful to attackers to know what you
have running.

Also, the RPC service has a history of security vulnerabilities.


> udp port 111 (rpcbind) is exposed in the public interface on SSVM
> -----------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10378
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10378
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: SystemVM
>    Affects Versions: 4.11.0.0
>            Reporter: Marco Sinhoreli
>            Priority: Critical
>
> The secondary storage VM is exposing the NFS rpcbind udp port (111) to the internet on
the public network interface. It can cause security risks. To expose the RPC/portmap udp port
111 service to the internet, everybody can query this information without having to authenticate.
It can be useful to attackers to know what you have running. Also, the RPC service has a history
of security vulnerabilities.
> The recommendable is update the iptables rules on the system VM template to block the
111 udp port.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message