edit-icon download-icon

[Vulnerability notice] Multiple high-risk vulnerabilities in Elasticsearch

Last Updated: May 08, 2018

Elasticsearch is a Lucene-based search service. It provides a distributed full-text search engine that can serve multiple users based on RESTful web interfaces. Elasticsearch is developed in Java and open-source subject to the Apache license terms. It is the second most popular enterprise search engine.

Designed for cloud computing, Elasticsearch features real-time search, stable, and reliable performance, fast response, and easy installation and usage. But unsafe use of Elasticsearch has also given rise to some problems. By default, after Elasticsearch is installed, the data information can be accessed and viewed in web announcements by using Port 9200.

Details

Elasticsearch has the following vulnerabilities.

TypeCVEAffected VersionsDescription
Remote command executionCVE-2014-3120-Elasticsearch is scripting-enabled for you to easily process the result data. However, Elasticsearch uses MVEL as the scripting engine. The engine has neither protection in place nor a sandbox as a shield, making it vulnerable to the execution of arbitrary codes.
Remote command execution-1.3.0-1.3.7 and 1.4.0-1.4Elasticsearch uses Groovy as the scripting language. Although sandbox is integrated to block dangerous code, the whitelist-blacklist identifying of the sandbox is not strict enough and can be bypassed to run code remotely.
Unauthorized access--After River is installed, Elasticsearch can synchronize multiple types of database data (including relational MySQL and MongoDB).
  • If _river is contained in indices (http://localhost:9200/cat/indices), usually it means River has been installed.
  • Sensitive information can be viewed through the disclosed http://localhost:9200/_rvier/_search.

Fix

Elasticsearch’s HTTP connections do not implement any permission control measures. Once deployed on a public network, Elasticsearch is prone to data leaks.

To resolve the preceding vulnerabilities, the following methods are suggested.

  • We recommend that you do not publish Elasticsearch’s Port 9200 service on the Internet.

  • You can use Alibaba Cloud Security Group Firewall or the firewall of the local operating system to isolate visitor IP addresses.

Bind the visitor IP address

Go to the config directory and modify the following parameters in the elasticsearch.yml configuration file:

  1. network.bind_host: 192.168.0.1
  2. # set the IP address to bind. It can be an IPV4 or IPV6 address and the default value is 0.0.0.0
  3. network.publish_host: 192.168.0.1
  4. # set the IP address for other nodes to interact with the node. If this IP address is not set, the system sets it automatically. The value must be a real IP address.
  5. network.host: 192.168.0.1
  6. # set the bind_host and the publish_host parameters at the same time.

Modify the default port

Go to the config directory and modify the following parameters in the elasticsearch.yml configuration file:

  1. ransport.tcp.port: 9300
  2. # set the TCP port for interactions between nodes. The default port is 9300.
  3. transport.tcp.compress: true
  4. # set whether to perform data compression for TCP transmission. The default setting is "false", meaning no compression.
  5. http.port: 9200
  6. # set the HTTP port for external services. The default port is 9200.

Disable HTTP access

Go to the config directory and modify the following parameter in the elasticsearch.yml configuration file:

  1. http.enabled: false
  2. # set whether to use the HTTP protocol to provide external services. The default setting is "true", meaning enabling HTTP.

Use the security plug-in Shield

Shield is a security plug-in developed by Elastic for Elasticsearch. After being installed, Shield intercepts all requests to Elasticsearch and performs authentication and encryption to secure Elasticsearch-related systems.

Shield is a commercial plug-in that requires Elasticsearch’s commercial license. A 30-day free trial is provided to the first-time users for license installation. 30 days later, Shield will block the cluster health, cluster stats, and index stats APIs, but other features remain available.

User authentication

Shield helps to define a series of users and authenticate user requests. These users are contained in an abstract “domain”, which can be of one of the following types:

  • LDAP service
  • ActiveDirectory service
  • Local esusers configuration files (similar to /etc/passwd)
Permission control

Shield’s permission control includes the following elements:

  • SecuredResource: the objects that the permissions apply to, such as an index or a cluster.
  • Privilege: one or multiple operations that a role can perform on an object, such as read and write. The privilege can also be some object-specific operations such as indicies:/data/read/perlocate
  • Permissions: one or more privileges owned by the SecuredResource, such as read on the “products” index.
  • Role: a set of Permissions and has its own name.
  • Users: user entities that can be assigned with 0, 1, or more roles. Users can enjoy various privileges owned by the role for the secured resource.
Install Shield

Prepare your environment as the following:

  • Java 7 or later is installed.
  • Elasticsearch 1.5.0+ is unzipped to a local directory. If you use APT or YUM for installation, the default installation directory can be /usr/share/elasticsearch

To install Shield, follow these steps.

  1. Go to the Elasticsearch installation directory.

    1. cd /usr/share/elasticsearch
  2. Install the Elasticsearch license.

    1. plug-in:bin/plugin -i elasticsearch/license/latest
  3. Install the Shield.

    1. plug-in:bin/plugin -i elasticsearch/shield/latest
  4. Move or link the Shield configuration file to the /etc/elasticsearch/shield directory.

    1. ln -s /usr/share/elasticsearch/config/shield /etc/elasticsearch/shield

    Note: Elasticsearch service searches for the Shield configuration file from the /etc/elasticsearch/shield directory at startup, and the configuration file is placed in /usr/share/elasticsearch/config/shield when Shield is installed. Therefore, you have to move or link the configuration file to the /etc/elasticsearch/shield directory.

  5. Restart the Elasticsearch service.

    1. service elasticsearch restart
  6. Create a new Elasticsearch administrator account and enter a new password.

    1. bin/shield/esusers useradd es_admin -r admin
  7. All RESTful API requests to access Elasticsearch are rejected.

    1. curl XGET 'http://localhost:9200/'

    Only by adding the user name and password to the request, you can access Elasticsearch successfully.

    1. curl -u es_admin -XGET 'http://localhost:9200/'

For more information, see the following.

Enable logging

The config folder of Elasticsearch contains two configuration files:

  • elasticsearch.yml: the basic configuration file.
  • logging.yml: the log configuration file. Elasticsearch uses log4j to record logs, so you can follow the settings in a general log4j configuration file for settings in the logging.yml file.

To enable the logging feature, you must modify the elasticsearch.yml configuration file:

  1. path.logs: /path/to/logs
  2. # set the path for storing the log file. The default path is the logs folder under the root directory of Elasticsearch.

Regularly update Elasticsearch

We recommend that you use the latest version of Elasticsearch for the first time, and regularly patch the installed Elasticsearch.

More information

For more information, see the following.

Thank you! We've received your feedback.