[pigbearpig]

From the Wired article, it may not have even been a mistake, depending on the version of Spring Boot.

"Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default."

[davedx]

This sounds utterly insane. Is Actuator a standard part of Spring Boot or is it an optional package of some kind?

[teekert]

Imaging putting up a firewall to mitigate this, then docker compose helpfully opening the ports for you. Security comes in layers.

[callamdelaney]

This feature of docker compose is insane.

[teekert]

Right!? I learned with a colleague: Didn’t you restrict everything to the Tailnet? Yes, feel free to check UFW. Hmm, then why does nmap show all this stuff when scanning from the lan? Wtf??

[callamdelaney]

Similar here, UFW setup to only enable access via Caddy to our http services - wait, why can I connect directly to our redis instance?

Took a while to workout that for some reason docker-compose is messing directly with iptables to shoot holes in the firewall we'd configured. Figured out you have to write your compose in some super special way to disable that functionality. Compose should never ever open network ports, ever in my book - to do so without a warning or anything though is like I said, insane!

[formerly_proven]

This was also part of the exploit chain in the "Volksdaten" incident.