1 Answer
- Newest
- Most votes
- Most comments
3
Hi,
Please follow below document helpful to your question
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
Hello, I do not think that is useful for me at this moment. The vulnerability report came from AWS, so why would I need to inform AWS of a vulnerability that they specifically emailed me about? This was from ec2-abuse@amazon.com due to a report from CSIRT-IE.
My main question is, does Amazon Linux require Open Port Mapper, and if it does, then why is AWS emailing me for something they included in their image?
Understanding the AWS Email Regarding Open Port Mapper/RPC Bind The email you received from AWS regarding the "Reported Vulnerability: Open Port Mapper/RPC Bind" is a standard security alert meant to inform you of potential security risks. Even if the Amazon Linux 2 AMI includes the rpcbind service by default, it's not necessarily required for typical ECS or Docker functionality.
Does Amazon Linux 2 Require Open Port Mapper? No, Amazon Linux 2, including the ECS-optimized version, does not require the Open Port Mapper (rpcbind) service for its core functionality. This service is traditionally used for mapping RPC program numbers to network port numbers, which is not a requirement for Docker or ECS operations.
Why is rpcbind Included? The inclusion of rpcbind in the Amazon Linux 2 AMI could be for compatibility with legacy applications that may still require RPC services. However, it doesn't mean that it should remain enabled if not used, especially given the potential security risks associated with open and unnecessary network services.
Hi Thanniru Anil Kumar, thank you for that response, that helps detail about this service. I checked out Amazon Linux 2023 and while included it is not active there which made me more comfortable that ECS itself is not reliant upon this. Phew!
I think as you say, it's there because of legacy. We have since globally blocked Port 111 and that was enough to satisfy the AWS Trust Team, we unfortunately couldn't really go disable the service because we often update the AMI to new versions and it'll just be re-enabled on a fresh AMI install, once we move to AL2023 this shouldn't be an issue!