Security Bulletin
Summary
The Yarn UI/API running on port 8088 is not secured by default. If the host machine or container is configured in a network where port 8088 is open to the internet then, in this mode of operation, anonymous users can submit yarn applications. A yarn application can perform arbitrary tasks on the container, such as running shell scripts or Java applications. Using this vulnerability, an attacker could execute arbitrary shell scripts to perform attacks on the system.
Vulnerability Details
Yarn UI/API Security issue
The Yarn UI/API running on port 8088 is not secured by default. If the host machine or container is configured in a network where port 8088 is open to the internet then, in this mode of operation, anonymous users can submit yarn applications. A yarn application can perform arbitrary tasks on the container, such as running shell scripts or Java applications. Using this vulnerability, an attacker could execute arbitrary shell scripts to perform attacks on the system.
By default, IBM MDM Express exposes port 8088 to enable users of MDM Express to view the underlying application logs or troubleshoot any issues with MDM Express workflows by viewing the yarn applications in the Yarn UI. This is problematic due to the aforementioned security risks.
Affected Products and Versions
IBM MDM Express v1.0 is affected when the container is deployed and configured in a network where port 8088 is open to the internet.
Remediation/Fixes
To allow for the continued use of the Yarn UI to troubleshoot issues, while also preventing malicious activity, you should configure firewall rules to only allow certain incoming traffic to access the docker container. General instructions for achieving this are documented in the Docker documentation at https://docs.docker.com/network/iptables/
What follows are examples of options you have for blocking incoming traffic. In each of these examples, the following assumptions are made:
- The external NIC interface is
eth1. - The ALLOWED IP address is
1.2.3.4(all other IP addresses will be blocked).
Example 1: Block all incoming traffic except for one IP to all exposed ports on the docker container
The following command ensures that all traffic to the docker container from any address other than 1.2.3.4 will be dropped:
sudo iptables -I DOCKER-USER -i eth1 ! -s 1.2.3.4 -j DROP
Example 2: Block incoming traffic except for one IP to a specific port exposed on the docker container
Tthe following command ensures that traffic to the Yarn UI port 8088 exposed by MDM Express from any address other than 1.2.3.4 will be dropped.
sudo iptables -I DOCKER-USER -p tcp ! -s 1.2.3.4 --dport 8088 -j DROP
With this approach, all ports exposed by MDM Express will be reachable from any IP address except for port 8088 in which only incoming requests to that port from IP 1.2.3.4 will be allowed.
Example 3: Block all incoming traffic except for a range of IPs to all exposed ports on the docker container
The following command ensures that all traffic to the docker container from any address other then IPs between the range 1.2.3.4 and 1.2.3.7 will be dropped:
sudo iptables -I DOCKER-USER -m iprange -i eth1 ! --src-range 1.2.3.4-1.2.3.7 -j DROP
Get Notified about Future Security Bulletins
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
19 July 2018
UID
ibm10717665