SuperMap iManager
简体中文10.1.1

Tutorial

The Solutions of iManager Security Vulnerabilities

The content below lists some common security vulnerabilities of iManager, and the solutions of these security vulnerabilities. If you meet the same security vulnerabilities, please follow the solutions:

  1. CVE-2020-1967

    Solution: Upgrade OpenSSL in iManager deployment machine to v1.1.1d. The download address: https://www.openssl.org/source/.

  2. CVE-2018-15919

    Solution: Upgrade OpenSSH in iManager deployment machine to v7.8 or higher.

  3. Hashicorp Consul Web UI and API access

    Solution(The demonstration below is using Ubuntu system):

    1. Install firewall:
    sudo apt-get install ufw
    1. Open firewall:
    sudo ufw enable
sudo ufw default deny
    1. Check the IP of iManager container:
    docker exec -it imanager bash

    hashicorp

    1. Add rules to firewall, only allow the IP of iManager deployment machine and the IP of iManager container to access:
    //Allow the IP of iManager deployment machine to access. Modify the <ip> in the following command to your machine IP.
sudo ufw allow from <ip>
//Allow the IP of iManager container to access. Modify 172.18.0.3/16 in the following command to the IP you checked in step 3.
sudo ufw allow from 172.18.0.3/16
    1. Open the port 8390:
    sudo ufw allow 8390

    Notes:
    If the rules of firewall are not taking effect, restart the machine.

    1. Check the firewall rules of Docker, execute:

      iptables -L DOCKER -n --line-number

      dockerfirewallrules

    2. Modify the firewall rules, only allow the specified IP to access the port 9200(Please replace the IP ‘192.168.11.145’ in the following command to the machine IP which you install iManager):

      iptables -R DOCKER 11 -p tcp -m tcp -s 192.168.11.145 --dport 9200 -d 172.18.0.13 -j ACCEPT

      9200port

    3. Modify the firewall rules, only allow the specified IP segment to access the port 9200(Please replace the IP segment ‘192.168.11.145/24’ in the following command to the machine IP segment which you install iManager):

      iptables -R DOCKER 11 -p tcp -m tcp -s 192.168.11.145/24 --dport 9200 -d 172.18.0.13 -j ACCEPT

      ip9200port

  4. Docker Remote API Unauthorized Access Vulnerability

    Solution:

    1. Generate certificates, please refer to Docker Documentation.

    2. Open the environment variable configuration file. In the iManager installation directory(the directory that unzip from iManager installation package), enter to ‘supermap-imanager-docker’ directory, and open .env file:

      vi .env
    3. Configure the storage path of certificates. Fill in the certificate storage path in the variable ‘DOCKER_CERTS_PATH’, you can specify a path or keep in default, the default path is ‘/etc/imanager/docker-cert’.

    modifycertificatepath

    1. Create folders under the certificates storage path, the folders should be named by the machines’ IP of Docker environment which are providing the service for iManager.
    2. Store the certificates into the folders.

    For example, the machine IP with Docker environment which is providing iManager services is 192.168.17.148. You need to create a folder named ‘192.168.17.148’ under the path ‘/etc/imanager/docker-cert’, and store the certificates ‘ca.pem, key.pem, cert.pem’ into the folder.

    storecertificates

    Notes:
    If the services of iManager are providing by multiple machines with Docker environment, you need to create multiple folders according to the IP of machines, and store the certifictes to the Corresponding folders.

  5. Configure STL Access for Docker

    1. Add the following parameters after the configuration in the file ‘docker.service’ or ‘docker.conf’:
    --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem

    dockerstl

    1. Update the configuration and restart docker service:
    systemctl daemon-reload
systemctl restart docker