I just had a security scan done against my cluster running AOS 5.5.6 and the only 'high' risk that came back was with cve-id CVE-1999-0548 (NFS Server Without Shares Detected):
Description;
A superfluous NFS server that is not sharing any file systems has been detected.
How to Fix;
Disable the NFS server.
Obliviously, I don't think I want to disable the NFS server service on all of my cvm's - is there any official documentation that I can share with my peers to support this so that I can get an exemption from this risk on these systems?
Solved
CVM's running NFS server risk
Best answer by danny_sre
Hi Mandg!
Â
Since the CVM’s are the storage controllers for the environment we would not want to disable NFS. This is particularly true if the hypervisors are ESXi ( ref: https://portal.nutanix.com/#/page/kbs/details?targetId=kA032000000TStNCAW )Â
Note the following:
CVM, Stargate service is always listening on ports 2049 (NFS), 3261/3260 (iSCSi), 445 (SMB), no matter what kind of hypervisor we are using. This can cause security scan warnings for vulnerabilities on CVM in the environment.
Â
Please review and let me know if you have any additional questions.Â
Â
Thanks!
Â
DannyR
Â
This topic has been closed for replies.
+1- Nutanix Employee
- Answer
Hi Mandg!
Â
Since the CVM’s are the storage controllers for the environment we would not want to disable NFS. This is particularly true if the hypervisors are ESXi ( ref: https://portal.nutanix.com/#/page/kbs/details?targetId=kA032000000TStNCAW )Â
Note the following:
CVM, Stargate service is always listening on ports 2049 (NFS), 3261/3260 (iSCSi), 445 (SMB), no matter what kind of hypervisor we are using. This can cause security scan warnings for vulnerabilities on CVM in the environment.
Â
Please review and let me know if you have any additional questions.Â
Â
Thanks!
Â
DannyR
Â
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.