By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Vulnerability Notice: Does Amazon Linux 2 require Port Mapper?

0

Hello,

We recently got an email from AWS stating "Reported Vulnerability: Open Port Mapper/RPC Bind"

The servers listed are a couple (not all) ECS Servers that run Amazon Linux 2. This surprised me as we do not do anything with these images (outside of package updates), they're spun up and that is it.

I noticed this image does have Open Port Mapper installed, does Amazon Linux 2 for ECS require this? My first theory was it uses it for the randomised docker port hosts.

I found it a bit strange that we would get an email warning about Open Port Mapper when it is something AWS have installed in their own image.

Topics
ComputeContainersAWS Well-Architected Framework
Tags
Amazon EC2Amazon Elastic Container ServiceSecurityAmazon Linux
Language
English
JoshFreeman
asked 2 months ago723 views
1 Answer
3
Accepted Answer

Hi,

Please follow below document helpful to your question

https://docs.aws.amazon.com/linux/al2023/ug/security.html

EXPERT
Thanniru Anil Kumar
answered 2 months ago
  • JoshFreeman
    2 months ago

    Hello, I do not think that is useful for me at this moment. The vulnerability report came from AWS, so why would I need to inform AWS of a vulnerability that they specifically emailed me about? This was from ec2-abuse@amazon.com due to a report from CSIRT-IE.

    My main question is, does Amazon Linux require Open Port Mapper, and if it does, then why is AWS emailing me for something they included in their image?

  • Thanniru Anil Kumar EXPERT
    2 months ago

    Understanding the AWS Email Regarding Open Port Mapper/RPC Bind The email you received from AWS regarding the "Reported Vulnerability: Open Port Mapper/RPC Bind" is a standard security alert meant to inform you of potential security risks. Even if the Amazon Linux 2 AMI includes the rpcbind service by default, it's not necessarily required for typical ECS or Docker functionality.

    Does Amazon Linux 2 Require Open Port Mapper? No, Amazon Linux 2, including the ECS-optimized version, does not require the Open Port Mapper (rpcbind) service for its core functionality. This service is traditionally used for mapping RPC program numbers to network port numbers, which is not a requirement for Docker or ECS operations.

    Why is rpcbind Included? The inclusion of rpcbind in the Amazon Linux 2 AMI could be for compatibility with legacy applications that may still require RPC services. However, it doesn't mean that it should remain enabled if not used, especially given the potential security risks associated with open and unnecessary network services.

  • JoshFreeman
    2 months ago

    Hi Thanniru Anil Kumar, thank you for that response, that helps detail about this service. I checked out Amazon Linux 2023 and while included it is not active there which made me more comfortable that ECS itself is not reliant upon this. Phew!

    I think as you say, it's there because of legacy. We have since globally blocked Port 111 and that was enough to satisfy the AWS Trust Team, we unfortunately couldn't really go disable the service because we often update the AMI to new versions and it'll just be re-enabled on a fresh AMI install, once we move to AL2023 this shouldn't be an issue!

Relevant content