Dear AtoM and Archivematica users:
It has come to our attention that there is a security issue with Elasticsearch index. A description of the security issue is here:
http://bouk.co/blog/elasticsearch-rce/
This is only a concern for those running an Elasticsearch index on a public server, meaning it is much more likely to affect AtoM servers than Archivematica. This does not affect ICA-AtoM installations as it does not use ElasticSearch.
A fairly quick fix is to block port 9200
on all Archivematica and AtoM machines from all public ip's,
allowing port 9200 from localhost only (or in the case of an AtoM
install, it may be necessary to allow access from the atom front end
server, if elastic search is running on a separate machine). This can be done by running ufw on Ubuntu (
https://help.ubuntu.com/community/UFW) and blocking port 9200.
There are a couple of changes to the Elasticsearch configuration that are also recommended, to help increase security further:
discovery.zen.ping.multicast.enabled: false
script.disable_dynamic:true
Both of those go into the /etc/elasticsearch/
elasticsearch.yml file and then /etc/init.d/elasticsearch restart
The first parameter stops Elasticsearch from advertising its
existence. The default behaviour in Elasticsearch is to allow new nodes
to automatically join a cluster which is intended to be used in private
vlans only. When the machine running Elasticsearch has a public IP, it
is possible for attackers to scan IP's and do simple http get's to port
9200, looking for Elasticsearch instances.
They then exploit a feature in elasticsearch that allows arbitrary
java code to be executed by the server. The 2nd parameter above disables
that feature. This parameter is not understood by all versions of Elasticsearch, so blocking port 9200 on public interfaces is the best
step to prevent future exploits.
If you are on this list but are not the system administrator for your instance of AtoM or Archivematica, please forward this message to the appropriate person in your organization.
If anyone in our community has questions or concerns about these issues, please do not hesitate to post to the list and we will do our best to respond in a timely manner.
Cheers,