Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

CERT-Bund Reports:

Openly accessible Elasticsearch servers

Elasticsearch is a popular search engine based on Apache Lucene, often used with web applications.

Problem

If an Elasticsearch server is openly accessible from the Internet and not protected by any forms of authentification, anyone who can connect to the server has unrestricted access to the data stored with it. This allows attackers to modify or delete any data or potentially steal sensitive information. In addition, prior to versions 1.2.x an attacker can use dynamic scripting to perform arbitrary code execution on the machine that Elasticsearch is hosted on.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if an Elasticsearch server is openly accessible from the Internet, you can use 'netcat' as follows:

$ printf "GET / HTTP/1.0\r\n\r\n" | netcat 192.168.45.67 9200

An openly accessible Elasticsearch server will return information like this:

{

  "status" : 200,

  "name" : "My Database",

  "cluster_name" : "My Cluster",

  "version" : {

    "number" : "1.7.5",

    "build_hash" : "00f95f4ffca6de89d68b7ccaf80d148f1f70e4d4",

    "build_timestamp" : "2016-02-02T09:55:30Z",

    "build_snapshot" : false,

    "lucene_version" : "4.10.4"

  },

  "tagline" : "You Know, for Search"

}

Otherwise, netcat will return an error message:

netcat: connect to 192.168.45.67 port 9200 (tcp) failed: Connection refused

or

netcat: connect to 192.168.45.67 port 9200 (tcp) failed: Connection timed out

Solution

  • Do not expose your Elasticsearch server to the Internet!
  • Restrict access to the Elasticsearch server to trusted systems (e. g., the web application server) in the server's configuration and/or by blocking incoming connections from the Internet to port 9200/tcp on the firewall.
  • Check the security best practices provided by the Elasticsearch developers.
  • Keep your Elasticsearch installation up-to-date. Install available security updates asap.

Further information

FAQ

Similar topics

Back to HowTo