Fix elasticsearch security issue #105
Comments
|
I'm looking into updating elasticsearch. There is no version of the mongo river plug-in that corresponds to the patched versions of ES but perhaps the plug-in is forwards compatible. However, the elasticsearch port should not be open. Unless we've done some configuration to disable it, anyone can add/remove items from the index. Is there a reason the port is open on eidr.ecohealth.io? |
|
It's open because it's used by grits. Maybe we should configure it in AWS to only be open to grits' IP. |
|
I forgot we had a separate search api- maybe we just had it open for testing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear AWS Customer,
Elasticsearch (http://www.elasticsearch.org/ ) is a popular open source search server. We were recently made aware of a potential security issue with this software. While this is not an issue with AWS, we wanted to notify our potentially affected customers so that they can take appropriate steps to address this potential risk in their environment.
The issue allows specially crafted scripts to escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. This issue affects versions 1.3.0-1.3.7 and 1.4.0-1.4.2, additional information can be located here: CVE-2015-1427 https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released
Attackers that take advantage of this insecure configuration can run arbitrary commands with the privileges of the Elasticsearch daemon. This issue poses the greatest risk when an Elasticsearch server is open to the entire Internet and is running on the default port, 9200/tcp.
The most effective way to avoid this issue is to ensure that your search servers cannot be reached by every host on the Internet. You can use EC2 Security Groups to restrict access to 9200/tcp to only those hosts which should be querying your search index - more information on EC2 Security Groups can be found here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
In addition, if you are running one of the affected versions, you should update to 1.3.8, 1.4.3, or disable dynamic Groovy scripts. More about this can be found here: https://www.elastic.co/blog/elasticsearch-1-4-3-and-1-3-8-released
The following EC2 instances appear to have Security Groups that open 9200/tcp to all hosts on the Internet (0.0.0.0/0). If you are using Elasticsearch in production, we recommend that you audit your security groups and, if necessary, take appropriate steps to restrict access to your Elasticsearch servers.
Security Group ID : Region Security : Group Name : Instance ID
sg-29dbf84c us-east-1 grid i-a73f6446, sg-29dbf84c us-east-1 grid i-65e14294, sg-29dbf84c us-east-1 grid i-f4e3b705
Sincerely,
The AWS Team
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
The text was updated successfully, but these errors were encountered: