Support for ZMQ notification adds a huge attack vector. Given the frequency of bugs found upstream, it should be considered a serious network security vulnerability to have ZMQ linked to the address space of every node. Still, it is a useful feature and we should support it, so long as it is not included in builds by default. We should change the default configuration setting to no and require --enable-zmq to include it.
After auditing the ZMQ implementation in v12, I'm convinced that the attack surface is not remotely exposed without opt-in configuration, so I'm reverting my position on this and considering this issue close.
Support for ZMQ notification adds a huge attack vector. Given the frequency of bugs found upstream, it should be considered a serious network security vulnerability to have ZMQ linked to the address space of every node. Still, it is a useful feature and we should support it, so long as it is not included in builds by default. We should change the default configuration setting to
no
and require--enable-zmq
to include it.