[Openstack-security] [Bug 1749326] Re: Exploitable services exposed on community test nodes
Author: Paul Bourke <paul.bourke at oracle.com>
Date: Thu Mar 8 12:55:05 2018 +0000
Use zuul firewall rules in gate
Till now we've been flusing iptables in the gates to allow cross node
communication in the multi node ceph jobs. This raised security
concerns, in particular it exposed memcached to the external net.
This patch uses the infra provided role 'multi-node-firewall' in order
to correctly configure iptables. Thanks to Jeremy Stanley and Jeffrey
for help with this.
** Changed in: kolla-ansible
Status: Confirmed => Fix Released
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
Exploitable services exposed on community test nodes
Status in kolla-ansible:
One of the donor service providers for the upstream OpenStack
Infrastructure CI pool has notified us that their security team's
periodic vulnerability scans have been identifying systems at random
within our environment as running open memcached servers. Job
correlation from these reports indicates each was running one of the
Please adjust the configuration of your job framework to prevent these
services from being exposed to the Internet (through iptables ingress
filters, service ACLs, configuring them to not listen on globally-
routable interfaces, whatever works). Thanks!
To manage notifications about this bug go to: