[jira] [Updated] (CLOUDSTACK-10378) udp port 111 (rpcbind) is exposed in the public interface on SSVM

Fri, 25 May 2018 13:25:18 -0700 

     [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10378?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marco Sinhoreli updated CLOUDSTACK-10378:
-----------------------------------------
    Description: 
The secondary storage VM is exposing the NFS rpcbind udp port (111) to the 
internet on the public network interface. It can cause security risks. Exposing 
the RPC/portmap udp port 111 service to the internet, everybody can query this 
information without having to authenticate. It can be useful to attackers to 
know what you have running. Also, the RPC service has a history of security 
vulnerabilities.

The recommendable is update the iptables rules on the system VM template to 
block the 111 udp port.

  was:
The secondary storage VM is exposing the NFS rpcbind udp port (111) to the 
internet on the public network interface. It can cause security risks. To 
expose the RPC/portmap udp port 111 service to the internet, everybody can 
query this information without having to authenticate. It can be useful to 
attackers to know what you have running. Also, the RPC service has a history of 
security vulnerabilities.

The recommendable is update the iptables rules on the system VM template to 
block the 111 udp port.


> udp port 111 (rpcbind) is exposed in the public interface on SSVM
> -----------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10378
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10378
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: SystemVM
>    Affects Versions: 4.11.0.0
>            Reporter: Marco Sinhoreli
>            Priority: Critical
>
> The secondary storage VM is exposing the NFS rpcbind udp port (111) to the 
> internet on the public network interface. It can cause security risks. 
> Exposing the RPC/portmap udp port 111 service to the internet, everybody can 
> query this information without having to authenticate. It can be useful to 
> attackers to know what you have running. Also, the RPC service has a history 
> of security vulnerabilities.
> The recommendable is update the iptables rules on the system VM template to 
> block the 111 udp port.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to