[
https://issues.apache.org/jira/browse/CLOUDSTACK-10378?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marco Sinhoreli updated CLOUDSTACK-10378:
-----------------------------------------
Description:
The secondary storage VM is exposing the NFS rpcbind udp port (111) to the
internet on the public network interface. It can cause security risks. To
expose the RPC/portmap udp port 111 service to the internet, everybody can
query this information without having to authenticate. It can be useful to
attackers to know what you have running. Also, the RPC service has a history of
security vulnerabilities.
The recommendable is update the iptables rules on the system VM template to
block the 111 udp port.
was:
If you expose the RPC/portmap udp port 111 service to the internet, everybody
can query this information without having to authenticate. It can be useful to
attackers to know what you have running.
Also, the RPC service has a history of security vulnerabilities.
> udp port 111 (rpcbind) is exposed in the public interface on SSVM
> -----------------------------------------------------------------
>
> Key: CLOUDSTACK-10378
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10378
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: SystemVM
> Affects Versions: 4.11.0.0
> Reporter: Marco Sinhoreli
> Priority: Critical
>
> The secondary storage VM is exposing the NFS rpcbind udp port (111) to the
> internet on the public network interface. It can cause security risks. To
> expose the RPC/portmap udp port 111 service to the internet, everybody can
> query this information without having to authenticate. It can be useful to
> attackers to know what you have running. Also, the RPC service has a history
> of security vulnerabilities.
> The recommendable is update the iptables rules on the system VM template to
> block the 111 udp port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
