search

sous-chefs / sc-mongodb

Development repository for the sc-mongodb cookbook
https://supermarket.chef.io/cookbooks/sc-mongodb
Apache License 2.0
75 stars 91 forks source link

Binding to 0.0.0.0 #224

Open akondasif opened 5 years ago

akondasif commented 5 years ago

Greetings,

I am a security researcher, who is looking for security smells in Chef scripts. I noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).

Any feedback is appreciated.

Source: https://github.com/sous-chefs/mongodb/blob/master/spec/recipes/default_spec.rb

github-actions[bot] commented 4 years ago

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.