We recently completed a security assessment of some new v3.1 Streams installations and discovered many new issues associated with the Streams Console port. During the investigation, one test we performed was to upgrade an existing v3.0 test environment that did not exhibit any of the vulnerabilities immediately prior to v3.1 but now shows the same issues. So the anecdotal evidence is that something has changed between v3.0 and v3.1 that opens many very serious security vulnerabilities.
The security scan we performed identified several thousand vulnerabilities, many serious, that did not exist on the same host when running v3.0 but did immediately after performing the v3.1 install.
Most appear to be exposures to services completely unrelated to Streams and which don't belong at all on any production Streams server. Here is a single example of a URL that was found to be problematic:
There are literally hundreds of others referring to things like DNEWSWEB, BizDB, RobPoll, Antelope W4-Server, Cart32, WebWho+, Dmailweb, EZshopper, and the list goes on, and on. Note that none of these vulnerabilities showed up on a security scan done just prior to installing v3.1 and all that was done to the server between the scans was to run the 3.1 installation binary and firststeps. Also the vulnerabilities appear to move with the port defined for the Streams Console. I.e., when we changed the port from 0 to 8443 the vulnerabilities now show up on 8443 rather than the previously selected port.
I really hope this is something that can definitely be addressed through some straightforward configuration because if not we will have no other choice but to revert back to v3.0. Please feel free to contact me directly if there is any additional information I can provide.