Welcome to the new Gigaspaces XAP forum. To recover your account, please follow these instructions.

Ask Your Question
0

XAP Zookeeper [missing] security

Hello,

out-of-the-box Zookeeper as part of XAP is started without any security. Anybody could connect to default port 2181 and execute any operations, including deleting the whole directory, or writing wrong information. The attacker just needs to download a standard Zookeeper tarball, start command-line client and connect to a right port.

I consider this to be a very high security risk as an attacker could easily destroy the complete grid lookup infrastructure. Do you agree with my assessment?

If my assessment is right, could you please provide a guide how to manually secure Zookeeper as a part of XAP, as long as sufficient security is not provided out-of-the-box.

asked 2018-04-05 02:40:37 -0500

Alexey Serdyuk gravatar image

updated 2018-04-05 02:40:58 -0500

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

Hi, 1. Please report improvement request regarding it and it will be considered. 2.Since zookeeper is server side component it assumed to be on a secured environment, deleting data from zookeeper will interfere with the active election process.

Regards, Ester.

answered 2018-04-08 06:03:14 -0500

Ester gravatar image
edit flag offensive delete link more

Comments

Hi Ester, I have created a support case. I can't agree with your statement that it is OK to have an intranet application unsecured, especially taking into account many recent cases when customer's data of various enterprises were stolen. Even if an attacker manages to intrude the corporate network, he should not automatically get free access to internal applications, that is, internal applications must be fully protected (SSL, authentication etc).

Alexey Serdyuk gravatar imageAlexey Serdyuk ( 2018-04-09 02:06:18 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-05 02:40:37 -0500

Seen: 103 times

Last updated: Apr 08