Exploitable services exposed on community test nodes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
Emilien Macchi |
Bug Description
One of the donor service providers for the upstream OpenStack Infrastructure CI pool has notified us that their security team's periodic vulnerability scans have been identifying systems at random within our environment as running open SNMP servers with a read community of "public". Job correlation from these reports indicates each was running one of the following:
tripleo-
tripleo-
tripleo-
tripleo-
tripleo-
tripleo-
Please adjust the configuration of your job framework to prevent these services from being exposed to the Internet (through iptables ingress filters, service ACLs, configuring them to not listen on globally-routable interfaces, whatever works). Thanks!
Changed in tripleo: | |
status: | New → Triaged |
importance: | Undecided → Critical |
tags: | added: security-hardening |
Changed in tripleo: | |
milestone: | none → queens-rc1 |
tags: | added: alert ci |
Changed in tripleo: | |
assignee: | nobody → Emilien Macchi (emilienm) |
tags: | removed: alert |
I have checked ocata, pike and master: the SNMP config is the same: logs.openstack. org/11/ 541311/ 1/gate/ tripleo- ci-centos- 7-nonha- multinode- oooq/451f201/ logs/subnode- 2/etc/snmp/ snmpd.conf. txt.gz
http://
and we use:
rocommunity public 127.0.0.1
So the read community of public is not open to external networks.