Hi,
I am wondering if an Elasticsearch server with search guard ssl installed is vulnerable to information disclosure issue ?
From the above link that i shared, i understand that x-pack is vulnerable to this security issue as it stores secrets. What about SearchGuardSSL (search guard or other modules are not installed) ? Does SearchguardSSl stores secrets as dynamic cluster settings, If yes, what are those and what is the remediation ?
Here are the details of setup
- SearchGuardSSL and Elasticsearch version : 5.6.9.
- No other enterprise modules installed
- JVM Version and operaing System : Java 7/8 and Windows/Linux