onitake commented on issue #3450: Port 8096 allows unauthenticated access from any IP. URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-507697560 I don't think "works as designed" is going to cut it here. The upgrade docs from 4.5 explicitly mention this management port needs to be active during the upgrade procedure, so scripts can access the API unauthenticated: http://docs.cloudstack.apache.org/en/4.11.2.0/upgrading/upgrade/upgrade-4.5.html#system-vms-and-virtual-routers Nothing says that the port is a serious security risk and should be disabled afterwards. I think a forced binding to localhost would be useful to avoid a potential foot-gun. Also, what would be the correct value to disable this feature? The value is interpreted as "int", but what would "disable" be? 0? -1?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
