InfluxDB Unauthorized Access Vulnerability
Description
InfluxDB is an open-source time series database designed for high-performance storage and retrieval of time-stamped data. By default, InfluxDB may be configured without authentication enabled, allowing unauthorized users to access the database interface and APIs. This vulnerability occurs when InfluxDB instances are exposed to untrusted networks (such as the public internet) without proper access controls or authentication mechanisms in place.
Remediation
Implement the following security measures to protect your InfluxDB instance:
1. Enable Authentication: Configure InfluxDB to require authentication by setting auth-enabled = true in the [http] section of the InfluxDB configuration file (influxdb.conf).
2. Create Administrative Users: After enabling authentication, create admin users with strong passwords using the InfluxDB CLI or HTTP API.
3. Restrict Network Access: Use firewall rules or security groups to limit access to InfluxDB ports (default: 8086) to only trusted IP addresses or internal networks. Do not expose InfluxDB directly to the public internet.
4. Use TLS/SSL: Enable HTTPS for all InfluxDB communications to encrypt data in transit by configuring the https-enabled option.
5. Apply Principle of Least Privilege: Create database-specific users with minimal required permissions rather than using admin accounts for application access.