More Information
Security risk warning on Elasticsearch (Part 1)
Posted Date 1/15/2017
Elasticsearch is a search server based on Lucene. It provides a distributed multi-user ability to full-text search engine, which is based on RESTful Web interface.
ElasticSearch is developed using Java and released as open source under the terms of the Apache license. It is also the second most popular enterprise search engines.
It is designed for cloud computing, real-time search, steady, reliable, fast, and easy to install. However, the insecure use of Elasticsearch also poses some problems: after the default installation of Elasticsearch is completed, you can access data on port 9200 with web post.
The following is the details of the vulnerabilities:
Elasticsearch remote command execution (CVE-2014-3120)
Description of this vulnerability:
Elasticsearch has scripting function, which can be used to easily query the data and process the data. The scripting engine that Elasticsearch uses is MVEL, this engine does not do any protection, or sand box, so it can execute arbitrary code directly.
Elasticsearch Groovy arbitrary command execution vulnerability
Description of this vulnerability:
This vulnerability affects versions 1.3.0-1.3.7 and 1.4.0-1.4. The cause of this vulnerability is because the Elasticsearch uses Groovy as its scripting language. Although it added the sandbox controls and dangerous code can be blocked, due to the fact that the sandbox restrictions are not strict, judged by black and white lists, it can still be bypassed and allow remote code execution.
Description of this vulnerability:
After installed River, Elasticsearch, can sync a variety of database data (including relational MySQL, MongoDB etc). Usually if the indices in the link http://localhost:9200/cat/indices contain _river, the River is installed. Sensitive information can be seen with the link http://localhost:9200/_rvier/_search.
1. Cause and hazard of this vulnerability
Because the HTTP connections of Elasticsearch do not provide any access control measures, once it is deployed in the public network, it has risks of data exposure.
2. Elasticsearch reinforcement scheme
Network access control (highly recommended)
It is recommended to prohibit the Elasticsearch 9200 port services to be published to the Internet. Please control the access of the source IP using Alibaba Cloud security firewall or local operating system.
Elasticsearch provides many security plug-ins for users to facilitate their installation. Here are two recommend plugins:
IP Binding source IP
Enter “config” directory, modify the “elasticsearch.yml” configuration file with the following parameters:
1. network.bind_host: 192.168.0.1
2. Sets the binding IP address. It can be either IPv4 or IPv6. By default it is 0.0.0.0.
3. network.publish_host: 192.168.0.1
4. Sets the IP address of the other node and the interactions with the node. If you do not set, it will determine automatically. The value must be a real IP address.
5. network.host: 192.168.0.1
6. This parameter is used to set both the arguments bind_host and publish_host.
Modify the default port
Enter ‘config’ directory, modify the ‘elasticsearch.yml’ configuration file with the following parameters:
1. ransport.tcp.port: 9300
2. Sets the TCP port for interaction between nodes. The default port is 9300.
3. transport.tcp.compress: true
4. Sets whether to compress the TCP transmission data. The default value is false, which is do not compress.
5. http.port: 9200
6. Sets the external service HTTP port. The default port is 9200.
ElasticSearch is developed using Java and released as open source under the terms of the Apache license. It is also the second most popular enterprise search engines.
It is designed for cloud computing, real-time search, steady, reliable, fast, and easy to install. However, the insecure use of Elasticsearch also poses some problems: after the default installation of Elasticsearch is completed, you can access data on port 9200 with web post.
The following is the details of the vulnerabilities:
Elasticsearch remote command execution (CVE-2014-3120)
Description of this vulnerability:
Elasticsearch has scripting function, which can be used to easily query the data and process the data. The scripting engine that Elasticsearch uses is MVEL, this engine does not do any protection, or sand box, so it can execute arbitrary code directly.
Elasticsearch Groovy arbitrary command execution vulnerability
Description of this vulnerability:
This vulnerability affects versions 1.3.0-1.3.7 and 1.4.0-1.4. The cause of this vulnerability is because the Elasticsearch uses Groovy as its scripting language. Although it added the sandbox controls and dangerous code can be blocked, due to the fact that the sandbox restrictions are not strict, judged by black and white lists, it can still be bypassed and allow remote code execution.
Description of this vulnerability:
After installed River, Elasticsearch, can sync a variety of database data (including relational MySQL, MongoDB etc). Usually if the indices in the link http://localhost:9200/cat/indices contain _river, the River is installed. Sensitive information can be seen with the link http://localhost:9200/_rvier/_search.
1. Cause and hazard of this vulnerability
Because the HTTP connections of Elasticsearch do not provide any access control measures, once it is deployed in the public network, it has risks of data exposure.
2. Elasticsearch reinforcement scheme
Network access control (highly recommended)
It is recommended to prohibit the Elasticsearch 9200 port services to be published to the Internet. Please control the access of the source IP using Alibaba Cloud security firewall or local operating system.
Elasticsearch provides many security plug-ins for users to facilitate their installation. Here are two recommend plugins:
IP Binding source IP
Enter “config” directory, modify the “elasticsearch.yml” configuration file with the following parameters:
1. network.bind_host: 192.168.0.1
2. Sets the binding IP address. It can be either IPv4 or IPv6. By default it is 0.0.0.0.
3. network.publish_host: 192.168.0.1
4. Sets the IP address of the other node and the interactions with the node. If you do not set, it will determine automatically. The value must be a real IP address.
5. network.host: 192.168.0.1
6. This parameter is used to set both the arguments bind_host and publish_host.
Modify the default port
Enter ‘config’ directory, modify the ‘elasticsearch.yml’ configuration file with the following parameters:
1. ransport.tcp.port: 9300
2. Sets the TCP port for interaction between nodes. The default port is 9300.
3. transport.tcp.compress: true
4. Sets whether to compress the TCP transmission data. The default value is false, which is do not compress.
5. http.port: 9200
6. Sets the external service HTTP port. The default port is 9200.