Insecure ElasticSearch Configuration
41 views
Skip to first unread message
Lars Kiesow
Aug 27, 2015, 6:15:50 PM8/27/15
to security...@opencast.org
Hello,
this is the official security notice regarding a minor security issue
recently discovered in Opencast 2.
Description:
This issue allows unauthorized access to the built-in ElasticSearch.
Affects:
This issue affects all set-ups of Opencast >= 2.0. It will only
affect you if port 9200/tcp and port 9300/tcp is accessible from
remote machines (e.g. no firewall).
Details:
ElasticSearch by default binds itself to TCP port 9200 and TCP port
9300 on all interfaces, accepting connections from any hosts without
requiring any kind of authentication.
Patching the system:
If ElasticSearch is run as part of Opencast, it is sufficient if only
the admin server has access to ElasticSearch. That is why you can
safely limit the allowed connections from ElasticSearch to the local
machine.
To do that, edit `etc/index/adminui/settings.yml` and set
network.host: 127.0.0.1
Make sure to uncomment that line!
this is the official security notice regarding a minor security issue
recently discovered in Opencast 2.
Description:
This issue allows unauthorized access to the built-in ElasticSearch.
Affects:
This issue affects all set-ups of Opencast >= 2.0. It will only
affect you if port 9200/tcp and port 9300/tcp is accessible from
remote machines (e.g. no firewall).
Details:
ElasticSearch by default binds itself to TCP port 9200 and TCP port
9300 on all interfaces, accepting connections from any hosts without
requiring any kind of authentication.
Patching the system:
If ElasticSearch is run as part of Opencast, it is sufficient if only
the admin server has access to ElasticSearch. That is why you can
safely limit the allowed connections from ElasticSearch to the local
machine.
To do that, edit `etc/index/adminui/settings.yml` and set
network.host: 127.0.0.1
Make sure to uncomment that line!
Reply all
Reply to author
Forward
0 new messages