[Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes
Jeremy Stanley
fungi at yuggoth.org
Wed Mar 7 12:38:33 UTC 2018
We preinstall restrictive iptables rulesets on our images when building
them via http://git.openstack.org/cgit/openstack-infra/project-
config/tree/nodepool/elements/nodepool-base/install.d/20-iptables and
devstack configures keystone's memcached_servers setting to
localhost:11211 so that it traverses the loopback interface rather than
an externally-reachable address.
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1749326
Title:
Exploitable services exposed on community test nodes
Status in kolla-ansible:
Confirmed
Bug description:
One of the donor service providers for the upstream OpenStack
Infrastructure CI pool has notified us that their security team's
periodic vulnerability scans have been identifying systems at random
within our environment as running open memcached servers. Job
correlation from these reports indicates each was running one of the
following:
kolla-ansible-oraclelinux-binary
kolla-ansible-oraclelinux-source
kolla-ansible-oraclelinux-source-ceph
Please adjust the configuration of your job framework to prevent these
services from being exposed to the Internet (through iptables ingress
filters, service ACLs, configuring them to not listen on globally-
routable interfaces, whatever works). Thanks!
To manage notifications about this bug go to:
https://bugs.launchpad.net/kolla-ansible/+bug/1749326/+subscriptions
More information about the Openstack-security
mailing list