You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2019/07/02 14:17:43 UTC

[GitHub] [cloudstack] onitake commented on issue #3450: Port 8096 allows unauthenticated access from any IP.

onitake commented on issue #3450: Port 8096 allows unauthenticated access from any IP.
URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-507697560
 
 
   I don't think "works as designed" is going to cut it here.
   
   The upgrade docs from 4.5 explicitly mention this management port needs to be active during the upgrade procedure, so scripts can access the API unauthenticated: http://docs.cloudstack.apache.org/en/4.11.2.0/upgrading/upgrade/upgrade-4.5.html#system-vms-and-virtual-routers
   
   Nothing says that the port is a serious security risk and should be disabled afterwards.
   
   I think a forced binding to localhost would be useful to avoid a potential foot-gun.
   
   Also, what would be the correct value to disable this feature? The value is interpreted as "int", but what would "disable" be? 0? -1?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services