SuperMap iManager K8S
简体中文11.1.1

Tutorial

iManager Security Vulnerabilities Solution

This article lists some common security vulnerabilities and solutions of iManager for Kubernetes. If you encounter the same problem, please refer to the following to solve it:

  1. NFS vulnerability (CVE-1999-0554): How to deal with the showmount - e information disclosure of the target host?

    Answer: You can use the hosts.allow and hosts.deny of Linux together to limit the IP and users who can obtain the NFS output list to avoid this vulnerability. An IP request is connected. The check policy of Linux is to check whether/etc/hosts.allow is allowed. If it is allowed, it will be released directly; If not, check whether it is prohibited in/etc/hosts.deny. If it is prohibited, the connection is prohibited.

    The relationship between the two configuration files is: /etc/hosts. allow takes precedence over/etc/hosts. deny . The specific configuration steps are as follows:

    (1)Modify the hosts.allow configuration file:

    vim /etc/hosts.allow
mountd:192.168.13.1   #Set according to the IP that needs to be released. Multiple IPs are separated by commas
#rpcbind: 192.168.13.:allow  #Release of the whole network segment
rpcbind:192.168.13.1:allow

    (2)Modify the hosts.deny configuration file:

    mountd:ALL  #Disable all IPs from accessing the nfs service
rpcbind:ALL:deny

    (3)The modification takes effect without restarting the machine.

  2. How to solve the MariaDB version vulnerability of MySQL?

    The solution to this vulnerability is to upgrade to the repaired version of the MariaDB image. The specific operations are as follows:

    Get the repaired version of MariaDB

    (1)Pull image:

    docker pull mariadb:10.5.15

    If it is an intranet environment, you need to save the image and save it to the intranet after pulling it from the internet:

    docker save mariadb:10.5.15 -o /opt/maribdb-10115.tar

    (2)Load image:

    docker load -i mariadb-10115.tar

    (3)Tag image(The 192.168.20.180:5000 in the following command needs to be replaced by the <ip: port>):

    docker tag mariadb:10.5.15 192.168.20.180:5000/supermap/mariadb:10.5.15-amd64

    (4)Push image to image docker(The 192.168.20.180:5000 in the following command needs to be replaced by the <ip: port>):

    docker push 192.168.20.180:5000/supermap/mariadb:10.5.15-amd64

    Modify the MariaDB image version of the related service

    • 10.2.1 and subsequent versions

    Find the service list of the corresponding GIS site in the iManager site, and perform the following operations in sequence:

    (1)Modify the orchestration file of the imanager-mysql and bslicense-server services, and update the image:

    Find the imanager-mysql and bslicense-server services respectively in the iManager basic service list, click Edit, find the image path of MariaDB under the labels initContainers and containers, modify the tag to a new MariaDB image tag, and click Update after modification.

    (2)Modify the orchestration file of ispeco-mysql, iportal-mysql services in the GIS Cloud Suite, and update the image: Find the corresponding GIS Cloud Suite site in the iManager site, find the ispeco-mysql and iportal-mysql services in the Cloud Suite Service list, click Edit, find the image path of MariaDB under the labels initContainers and containers, modify the tag to a new MariaDB image tag, and click Update after modification.

    (3)After updating the orchestration file, the service will restart automatically.

    • 10.2.0 and previous versions

    Visit http://``: 31234 and go to the Kubernetes dashboard page for operations:

    (1)Modify the orchestration files for imanager-mysql and bslicense-server services in the supermap namespace, and update the images:

    Find the imanager-mysql and bslicense-server services in Deployments, click Edit, find the image path of MariaDB under the initContainers and containers tags, modify the tag to a new MariaDB image tag, and click Update after modification.

    (2) Modify the orchestration files for the ispeco-mysql and iportal-mysql services in the icloud-native-* namespace, and update the image:

    Find the ispeco-mysql and iportal-mysql services in Deployments , click Edit , find the image path of MariaDB under the initContainers and containers tags, modify the tag to a new MariaDB image tag, and click Update after modification.

    (3)After updating the orchestration file, the service will restart automatically.

  3. Before 11i, file upload was almost unlimited, leaving some security risks to the file system; In 11i, the File Manager provides restrictions on uploading some script files by default. If the customer’s upload security policy is still not met, how to solve it?

    Answer: Users can add restrictions on the type of uploaded files according to their needs, modify the layout of the file-manager service, and add file types in the corresponding environment variables:

    Configuration method with 10.2.1 and subsequent versions

    (1)Find the file-manager service in the iManager service list, click Edit, find the environment variable UNSUPPORTED_EXTENTIONS in the orchestration, and add the suffix names of the file types that need to be restricted in the value, separated by ’, ’ ;

    (2)After modification, click Update, and the service will take effect after restarting.

    **Configuration method with 10.2.0 and earlier version **

    Visit http://``: 31234, and go to the Dashboard page of Kubernetes to operate:

    (1)Select icloud-native-* as the namespace, and select according to the actual cloud suite ID;

    (2)Find the Deployments of the file-manager in the deployment, click Edit, find the environment variable UNSUPPORTED_EXTENTIONS in the orchestration, and add the suffix names of the file types to be restricted in the value, separated by ’, ’ ;

    (3)After modification, click Update, and the service will take effect after restarting.