Re: Security device has security bug.
> The security device is only as secure as the underlying OS.
Sorry, are you trying to imply that the fact an admin port was open and exposed indicates that there is a security flaw in the OS itself?
Whether or not port 8443 was open is a decision made by the Sentry program (or by its setup) not the OS.
Exposing a port - any port - to the Internet is a matter of router/firewall configuration; that may not even be under the control of the same hardware, let alone indicate an issue with the OS (the article notes that port "may not be public facing", see quote below).
> What design decisions thought it a good idea to leave an administration port exposed to the Internet?
>> attackers must be able to reach administrative API port 8443 of a vulnerable Sentry deployment, which may not be public facing.
>> there is a low risk of exploitation for customers who do not expose port 8443 to the internet
Presumably, those who did leave this accessible via the Internet made the decision to do so in order that they could remotely admin their system? Something that people do seem to like to do (maybe to allow WFH?).
As the article notes, the problem with doing that is down to an inadequate Apache config (wild guess - the admin functions are accessed by web pages).
Hopefully, you are not trying to suggest that web servers should not be exposed to the Internet? Otherwise there are a lot of admin tasks that a lot of people do that will get a lot harder!