Security Vulnerability Detected on pd-server

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: pd-server上被扫出安全漏洞

| username: 重启试试

[TiDB Usage Environment] Production Environment
[TiDB Version] 4.0.10
[Reproduction Path] pd-server was scanned for security vulnerabilities
[Encountered Problem: Problem Phenomenon and Impact]

http://pd-ip:2379/debug/vars
http://pd-ip:2379/swagger/index.html
http://pd-ip:2379/v2/keys/vaydcmzdzvegeqwavlhwjplthkdtdaax?dir=true

The above three pages can be accessed directly without authentication, failing the vulnerability scan. The 4.0.10 version does not support disabling them, and I can’t find the files for these pages. Besides upgrading, is there any other way to close these web pages to avoid the vulnerability scanning tool?

| username: xfworld | Original post link

Enable the firewall on the PD node and only allow whitelist access.

Secondly, upgrade the version…

| username: 重启试试 | Original post link

To add a whitelist to the PD in a TiDB cluster, you only need to add the machines within the cluster, right?

| username: xfworld | Original post link

Yes, and also the jump server, tiup, some backup or nodes that need to be accessed, all need to be added…

In this way, basically, the loopholes can be blocked, but it will be relatively cumbersome.

| username: zhanggame1 | Original post link

Use the host firewall to control access for specific IPs.

| username: zhanggame1 | Original post link

It’s not that troublesome. There aren’t many accesses to port 2379.

| username: Fly-bird | Original post link

Aren’t database servers typically in an internal network environment? How could they be allowed to be scanned?

| username: tidb菜鸟一只 | Original post link

Adding to the whitelist is definitely the fastest, but TiDB also supports enabling TLS encrypted transmission.

| username: ShawnYan | Original post link

Off-topic, have you considered upgrading?

| username: zhanggame1 | Original post link

According to the requirements of classified protection, each important server must be able to pass vulnerability scans without high risks.

| username: 像风一样的男子 | Original post link

The compliance scan is done by yourself. The auditors will not log into your server. They will just scan the test cluster and generate a report, and that’s it.

| username: cassblanca | Original post link

For internal systems, unauthorized interface access vulnerabilities can basically be ignored, right?