Comment 5 for bug 1184034

Hi,

Raghavendra D Prabhu (raghavendra-prabhu) wrote on 2013-05-25: #2
"I can reproduce this.

However, we strongly recommend that cluster ports be secured externally as well with iptables/pf since otherwise other ports of cluster are vulnerable as well - like anyone will be able to SST from a donor since no checks are performed there against any whitelist/blacklist."

Could you please precise this behavior ? Is it really possible presently to get a complete SST from an outside attacker which gained access to the LAN on which a cluster is located when this cluster uses xtrabackup as SST method ? I mean : there is no authentication (like wsrep_sst_auth) used between joiner and donor ?

Thanks !

Regards,

Laurent