2018-07-16 Bitnami Google Launchpad open ports vulnerability
It has been detected a security issue at 3:51PM (UTC) which is affecting some of the Bitnami solutions deployed using the Bitnami Launchpad for Google Cloud Platform before 2018-07-16.
NOTE: Servers launched from the Google Cloud Platform Marketplace are NOT AFFECTED by this vulnerability.
Affected stacks
The detected vulnerability consists of the opening of all the ports publicly to the Internet so it could allow remote unauthorised access to your server. It only affects some infrastructure stacks. If you are running a web application, your server is not exposed.
Please check the list below to verify if you are running any of the affected stacks:
- MongoDB
- CouchDB
- Tensorflowserving
- etcd
- Neo4j
- Grafana
- PostgreSQL
- MySQL
- Redis
- Cassandra
- RabbitMQ
- ActiveMQ
- Memcached
- Kafka
- MariaDB
- Zookeeper
- Consul
- NATS
How to patch it
In order to prevent possible remote connections, it is strongly recommended to change your firewall configuration in existing instances by following the instructions below:
-
Log in to the Google Cloud Console and select the project you associated to your account in the Bitnami Launchpad for Google Platform.
TIP: To find the project name, navigate to the right top menu of the Bitnami Launchpad for Google Platform and click “Virtual Machines”. You will see the project name in the list of running servers.
-
In the Google Cloud Console, navigate to the “Compute Engine” menu section and click “VMs Instances”. From the list of running servers, click on the solution deployed through the Bitnmi Launchpad to access the “VM instance details” screen.
-
In the “Network interfaces” section, click the “View Details” button. It opens the “Network interface details” screen.
-
In the left-side menu, click “VPC network -> Firewall rules”.
-
On the resulting page, you will see a list with the firewall rules associated to your instance name (In the screenshot below, the rule name is “bitnami-redis-dm-5307-firewall”). In the “Protocols / ports” section, check if the value is “tcp” or a specific port:
-
Only in case that the “Protocols / ports” section contains “tcp”, you must click on the firewall rule and remove it.
NOTE: If the “Protocols / ports” section of your instance firewall rule shows a specific port, your server is only exposed to that port, so it is not necessary to remove that rule.
-
Once the firewall rule is deleted, all the ports will be closed except the ones are specified in the default network. If for any reason you need to open a specific port, follow these instructions to open a port for remote access.
The issue has been already solved in the Bitnami Launchpad for Google Cloud Platform and the ports are not open by default for new launches. If you need additional help updating your databases, please visit the github repository.