Vulnerability description:
Elasticsearch without the installation of the Shield plug-in does not come with authentication or restriction of access to the data stored within. A simple curl command may lead to the ex-filtration of all data. Out of date versions of Elasticsearch have known remote code execution vulnerabilities which may lead to compromise of the server itself i.e CVE-2015-4165 [2].
To manually test if a system is accessible, you can browse to the following with your favorite web browser:
- http://[IP of server in question]:9200/_cat/indices?v
AusCERT recommended mitigation(s):
If the service is not required it would be advisable to simply turn the service off. If it is required, a potential mitigation would be to implement network traffic white-listing and only have the Elasticsearch service respond to the required IP addresses. There is also the possibility of adding authentication and authorisation to the data with Elastic's Shield plug-in. [3]
References:
[1] https://www.elastic.co/products/elasticsearch
Comments