-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to disable the /debug/vars feature in a Docker environment #18070
Comments
That's an issue with bitnami, we don't support bitnami images. |
How can we disable this feature in our etcd image?
|
Here is the translation: I use the official image and wrote the following: docker run -d \
-p 2379:2379 \
-p 2380:2380 \
--name etcd \
--volume $(pwd)/etcd-data:/etcd-data \
quay.io/coreos/etcd:v3.5.0 \
/usr/local/bin/etcd \
--name my-etcd-instance \
--data-dir /etcd-data \
--listen-client-urls http://0.0.0.0:2379 \
--advertise-client-urls http://0.0.0.0:2379 \
--listen-peer-urls http://0.0.0.0:2380 However, when accessing |
You can't, which is an interesting decision by previous maintainers. |
cc @ahrtr |
Could you please help us to understand what vulnerability was found? We may want add a flag |
It's not vulnerability per se, but at least it's supprizing. Example of data in
Would be good to get some review from security about risks of exposing the data. |
It is a dedicated vulnerability check, and it discovered the address /debug/vars. This address is anonymous and returns configuration information, posing a risk of leakage. |
Can I encrypt this interface or add permissions when running Docker, so that users must log in to access it? |
You won't be able to do that from the container runtime. The only thing I could imagine would be a reverse proxy sidecar that explicitly disallows that path. |
Bug report criteria
What happened?
Our company is using etcd, but a vulnerability was found related to the ip:2379/debug/vars interface. How can we disable this interface?
What did you expect to happen?
How to disable this feature for an etcd instance created using Docker?
How can we reproduce it (as minimally and precisely as possible)?
To directly run a Docker instance using the command, for example:
Anything else we need to know?
No response
Etcd version (please run commands below)
Etcd configuration (command line flags or environment variables)
paste your configuration here
Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)
Relevant log output
No response
The text was updated successfully, but these errors were encountered: